SolarWinds, the company behind the widely used Orion network-management software, was recently the victim of a long-term cyber campaign by a likely nation-state actor. The incident could have far-reaching cybersecurity concerns both for the U.S. federal government and the private sector. The National Security Council created a Cyber Unified Coordination Group (UCG) to manage the federal government response, and key federal government stakeholders involved in the group have already released resources highlighting the response and suggested remediation. In order to keep OSAC members up-to-date on this rapidly evolving situation, this guide will share relevant resources provided by public and private entities that security managers may find useful as they determine the impact to their own systems and work to bolster their organization’s cybersecurity.
On December 13, cybersecurity firm FireEye released a blog post detailing the discovery and technical details of a global intrusion campaign involving SolarWinds Orion business software. FireEye detailed the supply chain intrusion, which trojanized SolarWinds Orion business software updates in order to distribute malware (referred to as “Sunburst”) and give hackers an opportunity to establish remote access backdoor into the networks of companies employing the Orion software. The post notes that the intrusion began as early as Spring 2020 and is ongoing. It also provided a number of technical details useful in detecting and blocking the threat activity.
In a separate blog post on December 13, FireEye CEO Kevin Mandia detailed the supply chain intrusion and its linkage to FireEye’s ongoing investigation regarding a cyber-intrusion, likely by a nation-state actor, which resulted in the theft of hundreds of the company’s offensive “red teaming” tools. The post described the threat actors as prioritizing stealth and operational security by blending into network traffic and using tools that were difficult to attribute. It also noted that this particular strain of malware is not self-propagating, and that each of the follow-on exploitation efforts required “meticulous planning and manual interaction.”
On December 13, similar to FireEye, Microsoft also issued guidance on SolarWinds Orion vulnerability and information regarding the threat actor behind the intrusions. This information was also supplemented with a more technically focused blog post from Microsoft’s Security Response Center that provided technical details for the cyber campaign and associated malware.
On December 13, SolarWinds issued a security advisory detailing the Orion vulnerability referred to as Sunburst. It details the organization’s continued coordination with the U.S. Government, namely the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and provides recommended “hotfixes.” Hotfixes are pieces of code developed and shared with customers to fix a software issue quickly. SolarWinds is updating the advisory as new information and/or remediation recommendations become available.
On December 13, CISA issued an Emergency Directive requiring all federal civilian agencies to review their networks for indicators of compromise associated with the incident, and to disconnect or power down SolarWinds Orion products immediately. The alert noted that malicious actors are exploiting SolarWinds Orion products (versions 2019.4 through 2020.2.1 HF1), thereby permitting threat actors to gain access to network traffic management systems. CISA noted that the exploitation of SolarWinds products posed an unacceptable risk to federal civilian Executive Branch agencies, which required emergency action. This was only the fifth Emergency Directive CISA has issued under the authorities granted by Congress in the Cybersecurity Act of 2015.
On December 14, an SEC filing submitted by SolarWinds detailed the scope of the Orion monitoring product intrusion as it was understood at the time. The filing notes that SolarWinds has over 300,000 customers across the public and private sectors, 33,000 of which it may have exposed to this vulnerability. However, it cited the actual number of exposed customers as being as being less than 18,000. This is because the malware that can lead to the installation of the backdoor was included in Orion product updates released between March and June, but not every customer installed them.
On December 15, the NSC announced the establishment of a Cyber Unified Coordination Group (UCG) to ensure a continued unity of effort across the U.S. Government. Presidential Policy Directive-41 (July 26, 2016) established a legal framework for cyber incident coordination, delineating that a Cyber UCG “shall serve as the primary method for coordinating between and among federal agencies in response to a significant cyber incident, as well as for integrating private-sector partners into incident response efforts, as appropriate.”
On December 16, the FBI, ODNI, and CISA released a joint statement acknowledging their formation of a Cyber UCG and detailing the role that each agency is playing in the response process. As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. As the lead for asset response activities, CISA noted its Emergency Directive and the agency’s ongoing efforts to engage with public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises. As the lead for intelligence support and related activities, ODNI is helping to marshal all of the U.S. Intelligence Community’s relevant resources to support this effort and share information across the U.S. Government.
On December 17, CISA released Alert AA20-352A as an as an update to Emergency Directive 21-01. The alert provides a thorough account of the threat actors’ activity and includes technical details that will be critical as organizations seek to identify compromises and block the associated threat actors from their systems. The alert is updated regularly as additional information becomes available and new guidance is established. Key non-technical takeaways include:
- This is a patient, well-resourced, and focused adversary that has sustained long-duration activity on victim networks.
- CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise.
- Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
- Organizations with suspected compromises must be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans
On December 17, the NSA also released a related cybersecurity advisory. The advisory provides guidance to National Security System, Department of Defense, and Defense Industrial Base network administrators to detect and mitigate against malicious cyber actors who are manipulating trust in federated authentication environments to access protected data in the cloud. This advisory specifically discusses detection and mitigation of two tactics, techniques, and procedures to forge authentications and gain access to a victim’s cloud resources. The recent SolarWinds compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access.
On December 18, CISA released additional guidance on the implementation of CISA Emergency Directive 21-01, to include an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions. In the supplemental guidance, CISA divides the versions of Orion software into two groups: versions identified as containing a malicious backdoor (“affected versions”) and versions identified as not containing that malicious backdoor (“unaffected versions”).
On December 22, the FBI’s Cyber Division released a Private Industry Notification (PIN) regarding to SolarWinds Orion vulnerability. Given the fast-paced and evolving nature of the incident, the product seeks to provide cybersecurity professionals and system administrators with collated and verified information to assist in determining whether APT actors have exploited the SolarWinds vulnerabilities present on their systems.
On December 24, CISA released a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.
On December 30, CISA released guidance to supplement the Emergency Directive (ED) 21-01 and Supplemental Guidance v1 issued on December 18, 2020. Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” are required to use at least SolarWinds Orion Platform version 2020.2.1HF2.
On January 5, the Cyber Unified Coordination Group provided an update on its continued investigative and mitigation efforts related to this incident. The group’s work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, they believe this was, and continues to be, an intelligence gathering effort.
On January 6, CISA released supplemental guidance that requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19 and Monday, January 25.
For questions regarding cyber and information security threats facing the U.S. private sector, including threats from nation-state actors, contact OSAC’s Cyber Team.