After high profile hacks hit federal agencies, CISA demands drastic SolarWinds mitigation

Secretary of the Treasury Steven Mnuchin, March 13, 2020, outside of the West Wing of the White House. (Official White House Photo by Keegan Barber)

The Department of Homeland Security's cybersecurity agency is demanding drastic action of federal agencies, after the Department of Treasury and National Telecommunications and Information Administration were breached in a malicious supply chain attack using the SolarWinds IT management platform.

The Cybersecurity and Infrastructure Security Agency released Emergency Directive 21-01 Sunday evening, following a Reuters report that hackers had exfiltrated information from NTIA and Treasury. The Washington Post later tied those attacks to last week's FireEye attacks and all three to Russian intelligence, specifically APT 29.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” CISA Acting Director Brandon Wales said in a statement to the press. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”  

FireEye reported Sunday that SolarWinds pushed multiple trojanized updates between March and May of 2020, installing what the security firm is calling the Sunburst backdoor.

The attacks are not limited to government, wrote FireEye, and also hit the consulting, technology, telecom sectors. Nor were the attacks limited to America, also targeting Europe, Asia and the Middle East.

After installing Sunburst, attackers leverage a memory-only dropper program to install Cobolt Strike.

FireEye notes multiple opportunities for detecting the attack, including checking logs for "SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time," as well as single systems making connections using multiple accounts. The FireEye post also includes information to blacklist command and control domain generation algorithms and known infrastructure IPs.

But, notes FireEye, detecting takes dilligence. As the firm writes in the blog post, "This is some of the best operational security that FireEye has observed in a cyber attack, focusing on evasion and leveraging inherent trust. However, it can be detected through persistent defense."

SolarWinds is a popular platform in and outside of governance. Sources assume many more victims will likely surface.

While the CISA demands are only mandatory within the government systems to which it can issue an emergency order, other firms may be interested in following suit.

CISA ordered government agencies with the capability to forensically analyze memory or network traffic to check for new accounts and indicators of compromise. It has ordered all agencies under its order to "immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network" and block all connections from systems using those products.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.