US Cybersecurity Agency Issues Emergency Directive Over SolarWinds Hack

US Cybersecurity Agency Issues Emergency Directive Over SolarWinds Hack
A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (Kacper Pempel/Reuters)
Zachary Stieber
12/14/2020
Updated:
12/14/2020

America’s cybersecurity agency urged all federal civilian agencies to review their networks for indicators of compromise after a SolarWinds network was hacked and remains exploited.

The emergency directive was issued late Dec. 13 in response to a known compromise involving SolarWinds’s Orion products, which are currently being exploited by malicious actors, the Department of Homeland Security’s Cybersecurity & Infrastructure Agency (CISA) stated.

“The compromise of SolarWinds’s Orion network management products poses unacceptable risks to the security of federal networks,” Brandon Wales, the agency’s acting director, said in a statement.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”

According to federal law, federal agencies are required to comply with the directives.

The emergency action was triggered because CISA determined that the exploitation posed an unacceptable risk to federal agencies, based on the current exploitation of affected products and their widespread use to monitor traffic on major federal network systems, the high potential for compromise of agency information systems, and the “grave impact” of a successful compromise.

The only known solution is to disconnect the affected devices, according to CISA.

According to SolarWinds, more than 300,000 customers around the world, including the office of the president of the United States, the Pentagon, and NASA, use its products and services.

SolarWinds is working to provide updated software patches, CISA said. SolarWinds said a patch would be available on Dec. 15.

The company said in an advisory that it was just made aware that its systems experienced a highly sophisticated attack.

“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWinds said.

Users were told to upgrade their Orion software while waiting for the patch. According to the company, the primary mitigation steps include installing the software behind firewalls, disabling internet access for the platform, and limiting the ports and connections to only what is necessary.

The U.S. Treasury Department building viewed from the Washington Monument in Washington on Sept. 18, 2019. (Patrick Semansky/AP Photo)
The U.S. Treasury Department building viewed from the Washington Monument in Washington on Sept. 18, 2019. (Patrick Semansky/AP Photo)
The Commerce Department confirmed to The Epoch Times on Dec. 13 that it had been hacked, while the Treasury Department was also reportedly breached.

The White House’s National Security Council said it was aware of the reports.

Last week, FireEye, a U.S. cybersecurity firm, announced that it was breached by what it described as “a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”

The firm said Dec. 13 that it discovered a “global intrusion campaign,” or an attack using SolarWinds Orion updates to distribute malware it called SUNBURST.

Malware is malicious software that bad actors use to gain access to systems.

According to FireEye, the actors behind the new campaign have gained access to numerous public and private organizations around the world, including government, consulting, and technology entities in North America, Europe, and Asia. The campaign may have begun as early as spring of this year.

“Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security,” FireEye said.