CISA issues Emergency Directive in Response to SolarWinds Hack

On December 13th, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products  (affected versions are 2019.4 through 2020.2.1 HF1) that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. The Directive provides recommended mitigation procedures  for those using affected software. Although Executive Directive 21-01 applies to Federal agencies, the recommended mitigation procedures warrant the water sector’s close attention.

On December 18th, CISA issued an updated alert for widespread cyber exploitation of the SolarWinds software platform. This intrusion achieves broad penetration and long-term undetected presence in victim networks, allowing for exfiltration of victim data.

Please note: CISA has recently determined that the SolarWinds Orion supply chain compromise is not the only initial infection vector being leveraged.

If you suspect your infrastructure has been compromised, please contact the CISA Cyber Liaison (cyberliaison@cisa.dhs.gov) immediately. CISA is advising entities not to disclose any details regarding a suspected compromise when contacting them via email. Upon receiving email correspondence, CISA will work with the reporting entity to establish out-of-band communication to discuss further.

Background

SolarWinds provides computer networking monitoring services to corporations and government agencies around the world. On Sunday, the company  warned customers that an outside nation had hacked into its most popular product, a tool called Orion that helps organizations monitor outages on their computer networks and servers. The malicious cyber activity began as early as March after hackers snuck code into an Orion update that gave access to customers’ internal networks.

More general information on the hack can be found in this New York Times article and/or this article published by The Guardian.