CISA ISSUES EMERGENCY DIRECTIVE TO MITIGATE THE COMPROMISE OF SOLARWINDS ORION NETWORK MANAGEMENT PRODUCTS
“The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.Reuters
Hackers believed to be operating on behalf of a foreign government have breached software provider SolarWinds and then deployed a malware-laced update for its Orion software to infect the networks of multiple US companies and government networks, US security firm FireEye said today. (Interestingly, I received notification from a cyber security expert in Europe last week that FireEye itself had been hacked. This to quote Joe Biden is a “Big Fecking Deal.” See their statement below.*)
SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. SolarWinds is headquartered in Austin, Texas, with sales and product development offices in a number of locations in the United States and several other countries around the world.
A suspected Russia-led cyberattack that reportedly breached several U.S. government agencies was seemingly conducted by abusing software from Texas-based company SolarWinds. Hackers breached multiple federal agencies, including the Treasury Department and the Commerce Department’s National Telecommunications and Information Administration
FROM CISA: Original release date: December 13, 2020 | Last revised: December 14, 2020
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. ~Ends
USG federal agencies and untold number of SolarWind clients have been compromised via a malicious SolarWinds software update for as long as six months.
A suspected Russia-led cyberattack that reportedly breached several U.S. government agencies seemingly exploited software from Texas-based software company SolarWinds, with malware pushed via booby-trapped updates.
A probe into the purported “nation state” hack is ongoing, spearheaded by the FBI and the Cybersecurityand Infrastructure Security Agency (CISA), after Reuters reported on Sunday that the U.S. Treasury and Commerce departments were believed to have been impacted, and the culprits had the ability to monitor internal emails.
The IT monitoring software targeted—called Orion—is used by “hundreds of thousands of organizations globally,” The Associated Press (AP) reported on Sunday. SolarWinds says on its website its products are currently used by more than 300,000 customers spanning sectors including military, government, business and education.
SolarWinds says it serves more than 425 firms on the Fortune 500, every one of the top-10 U.S. telecommunications companies and all branches of the U.S. military.
According to its website, U.S. clients include the Pentagon, State Department, NASA, NOAA, National Security Agency (NSA), Postal Service, Department of Justice and the Office of the President of the United States. In addition, it lists all of the top five U.S. accounting firms and “hundreds” of universities and colleges across the world.
In our announcement on Dec. 8, we stated we would provide updates as we discovered additional information, in order to ensure that the broader community is aware of the evolving threats we all face. As part of that commitment, we want to provide you with the following update on our investigation.
We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.
Based on our analysis, the attacks that we believe have been conducted as part of this campaign share certain common elements:
- Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
- Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
- Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
- High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools
Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice.
We have been in close coordination with SolarWinds, the Federal Bureau of Investigation, and other key partners. We believe it is critical to notify all our customers and the security community about this threat so organizations can take appropriate steps. As this activity is the subject of an ongoing FBI investigation, there are also limits to the information we are able to share at this time.
We have already updated our products to detect the known altered SolarWinds binaries. We are also scanning for any traces of activity by this actor and reaching out to both customers and non-customers if we see potential indicators.