In the wake of serious, monthslong intrusion by possible nation-state hackers into the Treasury and Commerce departments, federal civilian agencies are being told to disconnect a common server software component until government experts can determine that it’s safe.
The Cybersecurity and Infrastructure Security Agency issued a rare emergency directive Sunday night, calling on “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
“Disconnecting affected devices … is the only known mitigation measure currently available,” the agency wrote in its emergency directive.
CISA reports that the affected SolarWinds Orion Platform software versions
are 2019.4 HF 5 through 2020.2.1 HF 1, released between March and June 2020.
SolarWinds issued a security advisory recommending an upgrade to a newer Orion platform; the advisory also provided guidance for agencies and companies who are not able to upgrade immediately.
Cyberattackers Took Advantage of Legitimate Updates
CISA acknowledged SolarWinds’ mitigation efforts, but asked agencies not to install new software until CISA could provide further government guidance.
The hackers broke into the Treasury and Commerce departments; within Commerce, the National Telecommunications and Information Administration, responsible for internet and telecommunications policy, was also targeted. Reuters reported later in the day that the Department of Homeland Security may also have been compromised.
“The compromise … poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in a statement. “We urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”
FireEye, which discovered a similar breach earlier this month, said that the attacks began with the insertion of malware into legitimate software updates, giving the hackers remote access to the agency networks.
The malware was designed to avoid detection, blend into normal network activity and cover its tracks; it was also based on difficult-to-attribute tools, the company reported.
READ MORE: Learn how your agency can beef up its cybersecurity measures.
Attack Is Limited and Will Not Spread, Experts Say
At least one expert said it was clear that the attack was designed to slip through even the best company’s defenses.
“SolarWinds has a stellar reputation, and from the available information it looks like their software was signed with a valid Symantec certificate on a normal SolarWinds Orion update,” said Lior Div, CEO of the cybersecurity firm Cybereason. “After a certain point, effective detection matters more.”
While the attack has not yet been attributed to any specific hackers, SolarWinds said in a security advisory that “we have been advised this attack was likely conducted by an outside nation-state.”
The Washington Post also reported that the attackers were suspected to be the Russian-sponsored group known as APT29, or Cozy Bear, affiliated with the Russian foreign intelligence service.
The compromises were not built to spread — unlike the notorious WannaCry and NotPetya attacks in 2017, FireEye and SolarWinds both reported. “Each of the attacks require meticulous planning and manual interaction,” wrote FireEye CEO Kevin Mandia in a blog post on Sunday.
SolarWinds’ government customers include all four military branches, the intelligence community and agencies within the Defense Department. On the civilian side, customers include the Justice Department, the Department of Veterans Affairs, two Energy Department national laboratories and more.
“We anticipate this will be a very large event when all the information comes to light,” John Hultquist, director of threat analysis at FireEye, told The Associated Press.