SolarWinds Orion Compromise

​SolarWinds Orion Supply-Chain Compromise Information

In early December 2020, a highly advanced threat actor breached the cybersecurity company FireEye and gained access to their security tools. During its investigation, FireEye discovered a previously unknown compromise in a popular network monitoring tool. It was later reported that a highly advanced threat actor compromised the SolarWinds software supply chain, inserting malicious code into the company’s Orion monitoring tool.

Texas Department of Information Resources (DIR) moved swiftly to provide guidance to its customers across the state.

For additional information on this evolving cybersecurity issue, please review the DIR Overview of the SolarWinds Orion Platform Breach or see the relevant information listed below.

Current Reference Information

This page contains the most recent guidance from the CISA, DIR, and relevant third-party sources concerning the supply chain compromise.

Latest DIR Update: Dec 18, 2020

Updated Recommendations on SolarWinds Orion Hot Fix Release and Supporting Actions
DIR issued guidance on the use of SolarWinds Orion products. It is incumbent on each organization to thoroughly evaluate their risk category based on the categorical guidance in CISA’s Activity Alert AA20-352A - Advanced Persistent Threat and the additional context provided by DIR.

Latest CISA Update: Jan 6, 2021

CISA has released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise, providing guidance that supersedes Required Action 4 of ED 21-01 and Supplemental Guidance versions 1 and 2.

  • Federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1 HF2.
  • Federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems.

Additional Reference Information

Document or Reference Title

Source

Date Released

Updates Supplemental Guidance V3 on Emergency Directive 21-01

CISA

Jan 6, 2021

Updates Supplemental Guidance on Emergency Directive 21-01 

CISA

Dec 30, 2020

Supply Chain Compromise Information Page

CISA

Dec 22, 2020

Supplemental Guidance on Emergency Directive 21-01

CISA

Dec 18, 2020

Alert (AA20-352A) - Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

CISA

Dec 17, 2020

Emergency Directive 21-01

CISA

Dec 13, 2020

CISA Insights - What Every Leader Needs to Know About the Ongoing APT Cyber Activity

CISA

December 2020

Joint Statement by the FBI, CISA, ODNI, and the NSA on the Cyber Unified Coordination Group

Cyber UCG

Jan 5, 2021

Updated Recommendations on SolarWinds Orion Hot Fix Release and Supporting Actions

DIR

Dec 18, 2020

Recommended Mitigation of SolarWinds Orion Platform Compromise

DIR

Dec 14, 2020

FireEye GitHub including Yara rules, Snort rules, hashes, and other IOCs

FireEye

Dec 17, 2020

FireEye – Threat Research: SolarWinds

FireEye

Dec 13, 2020

Customer Guidance on Recent Nation-State Cyber Attacks

Microsoft

Dec 13, 2020

The SolarWinds Cyber-Attack: What SLTTs Need to Know

MS-ISAC

Dec 20, 2020

Cybersecurity Advisory - Detecting Abuse of Authentication Mechanisms

NSA

Dec 17, 2020

SolarWinds Security Advisory

SolarWinds

Jan 7, 2021