CISA issues Emergency Directive in response to supply chain attack on US agencies

The Directive was issued on Sunday in response to an ongoing investigation into a compromise by “malicious actors” of SolarWinds Orion products. It calls on all federal civilian agencies to review their networks for indicators of a breach and to shut down their devices immediately. 

CISA Acting Director Brandon Wales said: “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks.”

He added that the Emergency Directive “is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”  

CISA says agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.  

Current president and CEO of SolarWinds Kevin Thompson said in a statement, “We are aware of a potential vulnerability which, if present, is currently believed to be related to updates which were released between March 2020 and June 2020 to our Orion monitoring products.” 

He added: “We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordinate with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”

SolarWinds also recommends users to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. 

The firm said, “We are working to investigate the impacts of this incident and will continue to update you as we are made aware of any interruptions or impact to your business specifically.”

Kevin Mandia, CEO of FireEye, a major US cybersecurity company that suffered a breach believed to be connected to the attack on the US Treasury, stated in a blog post that: “The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.”

He added: “Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020.”

Former Director of CISA, Chris Krebs who was recently fired from his position by Donald Trump, said in a tweet on December 13:

“As news breaks about what looks to be a pretty large-scale hack, I have the utmost confidence in the [CISA] team and other Federal partners. I’m sorry I’m not there with them, but they know how to do this. This thing is still early, I suspect. Let’s let the pros work it.”