America’s cybersecurity agency urged all federal civilian agencies to review their networks for indicators of compromise after a SolarWinds network was hacked and remains exploited.
“The compromise of SolarWinds’s Orion network management products poses unacceptable risks to the security of federal networks,” Brandon Wales, the agency’s acting director, said in a statement.
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
According to federal law, federal agencies are required to comply with the directives.
The emergency action was triggered because CISA determined that the exploitation posed an unacceptable risk to federal agencies, based on the current exploitation of affected products and their widespread use to monitor traffic on major federal network systems, the high potential for compromise of agency information systems, and the “grave impact” of a successful compromise.
The only known solution is to disconnect the affected devices, according to CISA.
According to SolarWinds, more than 300,000 customers around the world, including the office of the president of the United States, the Pentagon, and NASA, use its products and services.
SolarWinds is working to provide updated software patches, CISA said. SolarWinds said a patch would be available on Dec. 15.
“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWinds said.
Users were told to upgrade their Orion software while waiting for the patch. According to the company, the primary mitigation steps include installing the software behind firewalls, disabling internet access for the platform, and limiting the ports and connections to only what is necessary.
The White House’s National Security Council said it was aware of the reports.
Last week, FireEye, a U.S. cybersecurity firm, announced that it was breached by what it described as “a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”
Malware is malicious software that bad actors use to gain access to systems.
According to FireEye, the actors behind the new campaign have gained access to numerous public and private organizations around the world, including government, consulting, and technology entities in North America, Europe, and Asia. The campaign may have begun as early as spring of this year.
“Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security,” FireEye said.
