The US Cybersecurity and Infrastructure Security Agency (CISA) on Sunday night issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. The Emergency Directive has called on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
The SolarWinds’ Orion platform software is used by almost all Fortune 500 companies and multiple federal agencies to gain entry to secure IT systems, according to a Financial Times report. The US Department of Homeland Security’s cybersecurity arm ordered all federal agencies to disconnect from the platform, which is used by IT departments to monitor and manage their networks and systems, said the report.
Blackstone-backed FireEye first had uncovered a widespread campaign just days before, tracking it as UNC2452. According to Fire Eye, the actors behind the campaign gained access to numerous public and private organizations around the world.
Just days after the attack was detected by FireEye, on December 11, FireEye announced that it had received a $400 million strategic investment led by funds managed by Blackstone Tactical Opportunities. Blackstone was joined by ClearSky, a cyber security-focused investment firm, as a co-investor in the transaction.
“Based on my 25 years in cybersecurity and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” wrote Kevin Mandia, Fire Eye CEO.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past,” said Mandia.
- FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
- The attacker’s post-compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
- The campaign is widespread, affecting public and private organizations around the world.
- FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.
According to Fire Eye, the actors “gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly-skilled actor and the operation was conducted with significant operational security.”
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales.
“The directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products were asked to provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.
UK impact yet unknown
In the UK, an NCSC Spokesperson said, “The NCSC is working closely with FireEye and international partners on this incident. Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact.
“The NCSC recommends that organisations read FireEye’s update on their investigation and follow the company’s suggested security mitigations.”
SolarWinds has retained third-party cybersecurity experts to assist in an investigation of these matters, including whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems, and in the development of appropriate mitigation and remediation plans.
SolarWinds is cooperating with the Federal Bureau of Investigation, the U.S. intelligence community, and other government agencies in investigations related to this incident.
Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 and introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.
SolarWinds is not currently aware that this vulnerability exists in any of its other products.
It has been recommended that organisations ensure any instances of SolarWinds Orion are configured according to the company’s latest guidance and have these instances installed behind firewalls, disabling internet access for the instances, and limiting the ports and connections to only what are critically necessary.
FireEye has published a blog updating on its investigation and recommends that organisations read the blog and follow the suggested mitigations where relevant.
Microsoft has also published a new blog on this attack outlining the steps that government and the private sector can take to protect themselves from this kind of cyber attack.