SolarWinds Orion Compromise
SolarWinds Orion Supply-Chain Compromise Information
In early December 2020, a highly advanced threat actor breached the cybersecurity company FireEye and gained access to their security tools. During its investigation, FireEye discovered a previously unknown compromise in a popular network monitoring tool. It was later reported that a highly advanced threat actor compromised the SolarWinds software supply chain, inserting malicious code into the company’s Orion monitoring tool.
Texas Department of Information Resources (DIR) moved swiftly to provide guidance to its customers across the state.
For additional information on this evolving cybersecurity issue, please review the DIR Overview of the SolarWinds Orion Platform Breach or see the relevant information listed below.
Current Reference Information
This page contains the most recent guidance from the CISA, DIR, and relevant third-party sources concerning the supply chain compromise.
Latest DIR Update: Dec 18, 2020
Updated Recommendations on SolarWinds Orion Hot Fix Release and Supporting Actions
DIR issued guidance on the use of SolarWinds Orion products. It is incumbent on each organization to thoroughly evaluate their risk category based on the categorical guidance in CISA’s
Activity Alert AA20-352A -
Advanced Persistent Threat and the additional context provided by DIR.
Latest CISA Update: Jan 6, 2021
CISA has released
Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise, providing guidance that supersedes Required Action 4 of ED 21-01 and Supplemental Guidance versions 1 and 2.
- Federal agencies
without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1 HF2.
- Federal agencies
with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems.
Additional Reference Information
Document or Reference Title | Source | Date Released |
Updates Supplemental Guidance V3 on Emergency Directive 21-01 | CISA | Jan 6, 2021 |
Updates Supplemental Guidance on Emergency Directive 21-01 | CISA | Dec 30, 2020 |
Supply Chain Compromise Information Page | CISA | Dec 22, 2020 |
Supplemental Guidance on Emergency Directive 21-01 | CISA | Dec 18, 2020 |
Alert (AA20-352A) - Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA | Dec 17, 2020
|
Emergency Directive 21-01 | CISA | Dec 13, 2020 |
CISA Insights - What Every Leader Needs to Know About the Ongoing APT Cyber Activity | CISA | December 2020 |
Joint Statement by the FBI, CISA, ODNI, and the NSA on the Cyber Unified Coordination Group | Cyber UCG | Jan 5, 2021 |
Updated Recommendations on SolarWinds Orion Hot Fix Release and Supporting Actions | DIR | Dec 18, 2020 |
Recommended Mitigation of SolarWinds Orion Platform Compromise | DIR | Dec 14, 2020 |
FireEye GitHub including Yara rules, Snort rules, hashes, and other IOCs | FireEye | Dec 17, 2020 |
FireEye – Threat Research: SolarWinds | FireEye | Dec 13, 2020 |
Customer Guidance on Recent Nation-State Cyber Attacks | Microsoft | Dec 13, 2020 |
The SolarWinds Cyber-Attack: What SLTTs Need to Know | MS-ISAC | Dec 20, 2020 |
Cybersecurity Advisory - Detecting Abuse of Authentication Mechanisms | NSA | Dec 17, 2020 |
SolarWinds Security Advisory | SolarWinds | Jan 7, 2021
|