CISA ISSUES EMERGENCY DIRECTIVE TO MITIGATE THE COMPROMISE OF SOLARWINDS ORION NETWORK MANAGEMENT PRODUCTS [UPDATED]

Cybersecurity & Infrastructure Security Agency | Original release date: December 13, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise of SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.

 “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within Federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”

 This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.  

###

U.S. Government Agencies Hit by Suspected Russian Hackers

By Alyza SebeniusKartikay Mehrotra, and Michael Riley | Bloomberg | Dec. 13, 2020 (Updated Dec. 14)

U.S. government agencies were hit by a “global intrusion campaign” of cyber-attacks that exploited a flaw in the update of a software company, cyber-security firm FireEye said, which the Washington Post reported was a breach by Russian government hackers.

The attack was made on systems within the U.S. Treasury and Commerce departments and those of other government agencies in a breach that started months ago, the newspaper reported. They included snooping on emails at the Treasury Department and an arm of the Commerce Department, Reuters reported.

“We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain,” FireEye said in a blog post late Sunday, without naming a specific group for the breach. “This compromise is delivered through updates to a widely-used IT infrastructure management software — the Orion network monitoring product from SolarWinds.”

The series of attacks could rank it among the worst in recent memory, as Austin, Texas-based SolarWinds Corp. sells technology products to a Who’s Who list of of sensitive targets. These include the State Department, the Centers for Disease Control and Prevention, the Naval Information Warfare Systems Command, the FBI, all five branches of the U.S. military, and 425 corporations out of the Fortune 500, according to the company’s website and government data.

“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement.

All federal civilian agencies were ordered by the U.S. Cybersecurity and Infrastructure Security Agency to review their networks and disconnect or powerdown SolarWinds Orion products immediately. The emergency directive late Sunday also asked for an assessment from these agencies by noon eastern time on Monday.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” Acting Director Brandon Wales said in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”

According to FireEye, the hackers hit organizations across the globe — in North America, Europe, Asia and in the Middle East — and in multiple sectors including government, technology, consulting telecommunications, as well as oil and gas. The company believes that this list will grow.

‘Top-Tier Tradecraft’

“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” FireEye said in the blog. “Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020.”

All this suggests that as the U.S. government was focused over the last several months on detecting and countering possible Russian interference in the U.S. presidential election — an effort that was largely viewed as successful — suspected Russian hackers were quietly working their way into the computer networks of American government agencies and sensitive corporate victims undetected.

“If it is cyber espionage, it is one of the most effective cyber espionage operations we’ve seen in quite some time,” said John Hultquist, a senior director at FireEye.

SolarWinds issued a statement appearing to confirm that the software update system for one of its products had been used to send malware to customers.

“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products. We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” SolarWinds President and Chief Executive Officer Kevin Thompson said in the statement Sunday evening.

‘Appropriately’ Engaged

Thompson said his company was working with the FBI as well as others on the investigation. The FBI said it’s “appropriately engaged,” declining further comment.

Two people briefed on the probe said that because just about any SolarWinds customer which used the product got the manipulated software, the number of victims could eventually reach into the thousands. The hackers appear to have concentrated on the most attractive and sensitive targets first, so that the harm suffered by various victims may vary widely, according to the people, who asked not to be identified because the information isn’t public.

FireEye told clients on Sunday that it was aware of at least 25 entities hit by the attack, according to people briefed by the company.

The quickly broadening investigation broke into public view on Dec. 8 when FireEye announced that it had been breached in a highly sophisticated attack that it attributed to hackers backed by U.S. adversaries. FireEye uncovered the hack in the course of investigating the breach.

First Victim

As investigators followed the attackers’ digital tracks, it now appears that FireEye may have simply been the first victim to detect the attack. U.S. government investigators are now racing to determine which agencies may have also been breached and to what extent the hackers accessed sensitive information — a process that could take days or weeks.

FireEye said last week the attackers took extreme care not to be detected, and in its case had managed to steal tools the security firm uses to test the security of its clients networks. FireEye also said the hackers sought information related to government customers but didn’t appear to steal customer data.

A Commerce Department spokesperson confirmed there was a breach “in one of our bureaus,” which Reuters identified as the National Telecommunications and Information Administration. The attacks were so concerning that the National Security Council met at the White House Saturday, Reuters reported. The Treasury Department didn’t respond to requests for comment.

The Washington Post reported that the Russian hacking group known as Cozy Bear, or APT 29, was behind the campaign. That is the same hacking group that was behind the cyber-attacks on the Democratic National Committee going back to 2015. It was also accused by U.S. and U.K. authorities in July of infiltrating organizations involved in developing a Covid-19 vaccine.

The last time the U.S. government was caught so thoroughly by surprise may have been five years ago, when Chinese hackers stole information related to anyone who had applied for or received a national security clearance from the computers of the Office of Personnel Management.

That investigation lasted for months, cost some U.S. officials their jobs, and resulted in an massive and expensive push to increase the security of unclassified U.S. government computer networks.

This attack — and the next several weeks — will tell to what extent those measures were successful.

— With assistance by William Turton

Tags

America's Civil War Rising

America's Civil War Rising (ACWR) is a grassroots educational and public benefits organization. All views and opinions expressed by third-party contributors and authors that are posted and contained on our website herein are solely their own and do not necessarily represent the views and opinions of ACWR, its founding members, volunteers, and/or supporters. ACWR strives to ensure the accuracy and credibility of all news and information but makes no claim as to the veracity or accuracy of any of the views or opinions expressed by third-party authors herein.

Donate with PayPalSupport Our Vital Work

Sign Up for Daily Email Notifications of Our Posts

Email Address *

Legal Policies

Eyes on Terror

ORDER OUR BOOKS

By Nancy Hartevelt KobrinLOOK INSIDE
By Nancy Hartevelt KobrinLOOK INSIDE
By Nancy Hartevelt KobrinLOOK INSIDE
By Nancy Hartevelt KobrinLOOK INSIDE
Nancy Hartevelt KobrinLOOK INSIDE
READ OUR BOOK REVIEWSAND ORDER YOUR COPIES NOW!

Authors

Recommended Sites