The Cybersecurity and Infrastructure Security Agency (CISA) is requiring all Federal civilian agencies to disconnect or turn off any SolarWinds Orion products by noon today, as a nation-state hack of the tools pose a significant cybersecurity threat and is linked to a hack at the Treasury and Commerce Departments.
CISA’s emergency directive, issued just before midnight on December 14, requires agencies to check for any indicators of compromise, requires agencies to block all traffic from external hosts where any version of the Orion software has been installed, and treat all hosts monitored by Orion monitoring software as compromised with further persistence mechanisms in place. The directive also instructs agencies not to upgrade their version of the Orion software until approved by CISA.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, acting director at CISA. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners – in the public and private sectors – to assess their exposure to this compromise and to secure their networks against any exploitation.”
The exploit in SolarWinds Orion products, first reported by Reuters and confirmed by a company statement, demonstrates the potential of a nation-state actor to use supply chains to cause major damage to companies and agencies. The vulnerability is tied to breaches at the Department of Commerce and the Department of the Treasury, first reported by Reuters and confirmed by the agencies.
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products. We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters,” the company said in its statement.
SolarWinds boasts a user base that includes multiple cities, prestigious universities, all branches of the military, the intelligence community, and the Department of Justice (DoJ) and State Department, to name some users. The breach comes on the heels of cybersecurity firm FireEye suffering a nation-state sponsored cyberattack on its internal systems, which Reuters’ sources tied to the SolarWinds vulnerability.
The early reaction from the cybersecurity community suggested that while the breaches at Commerce and Treasury are not the norm, they are likely not the only agencies affected.
“If you’re a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team. Odds are you’re not affected, as this may be a resource intensive hack,” said Christopher Krebs, former director of CISA. Krebs also shared his confidence in CISA and his suspicion that the cyberattack “has been underway for many months.”