US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach

An emergency directive issued by the U.S. government calls on all federal civilian agencies to disconnect or power down SolarWinds Orion IT management tools because they are being used to facilitate an active exploit.

The U.S. government late Sunday night called on all federal civilian agencies to power down SolarWinds Orion products immediately because they are being used as part of an active security exploit.

An emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) comes “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” according to the notice. “This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in the directive. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”

The directive instructs the all agencies operating SolarWinds products to report that they have completed the shutdown by noon ET Monday.

CISA issued the directive following a report that the SolarWinds Orion IT management tool had been used to hack several federal agencies.

[Related: 8 Big Things To Know About The State-Sponsored FireEye Hack]

The U.S. Treasury and the U.S. Commerce Departments were breached through SolarWinds as part of a Russian government campaign, The Washington Post reported. It is unclear whether a breach last week of security vendor FireEye was also linked to SolarWinds.

IT infrastructure mangement vendor SolarWinds disclosed Sunday that it experienced a highly sophisticated, manual supply chain attack on versions of its Orion network monitoring product released between March and June of this year. The company said it’s been told the attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, though no specific country was named.

A FireEye blog post states that hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion software, but didn’t disclose the identity of any of the victims. FireEye said it’s been working closely with SolarWinds, the Federal Bureau of Investigation, and other key partners.

While hackers over the past two years have taken advantage of the tools MSPs rely on to manage customer IT systems, the tools utilized in this breach do not appear to be linked to SolarWinds’ MSP business.

The Orion platform supports SolarWinds’ traditional IT infrastructure management business and isn’t connected to the SolarWinds MSP business built through acquisitions in recent years. The company said it isn’t aware of any impact to its remote monitoring and management (RMM), N-Central and associated SolarWinds MSP products from the attack on Orion.

Austin, Texas-based SolarWinds last week named Pulse Secure’s Sudhakar Ramakrishna as its next CEO, and has been examining a spin-out of its MSP tools business for months. SolarWinds said its technology is used by the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States.

“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” National Security Council Spokesman John Ullyot told The Washington Post.

FireEye made the shocking disclosure Tuesday that it suffered a security breach in what’s believed to be a state-sponsored attack designed to gain information on some of the firm’s government customers. The attacker could access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information, the threat intelligence vendor said.

The threat actor, however, stole FireEye’s Red Team security assessment tools, and FireEye said it isn’t sure if the attacker plans to use the stolen tools themselves or publicly disclose them. FireEye’s stock has plunged $1.69 (10.9 percent) to $13.83 per share since the hack was disclosed after the market closed Tuesday.

The Washington Post reported Sunday that the hackers with the Russian intelligence service—known as APT29—who attacked FireEye also compromised the Treasury and Commerce departments as well as other U.S. government agencies. The breaches have been taking place for months and may amount to an operation as significant as the State Department and White House hacks during the Obama years.

There is concern within the U.S. intelligence community that the hackers who targeted Treasury and the Commerce Department’s National Telecommunications and Information Administration used a similar tool to break into other government agencies, Reuters reported Sunday. The hack is so serious it led to a National Security Council meeting at the White House on Saturday, according to Reuters.

APT29 also compromised the Democratic National Committee servers in 2015 but didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, the The Post said.

The Washington Post said that APT29 hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Group members have stolen industrial secrets, hacked foreign ministries and, more recently, have attempted to steal coronavirus vaccine research, according to The Post.