The Hack Roundup: CISA Guidance Warns Affected Systems May Need to Be Rebuilt

The Cybersecurity and Infrastructure Security Agency released a guide for federal, state and local government leaders on responding to the hack and an online hub for resources.

The Insights document released Dec. 23 recaps the incident: A “sophisticated” actor slipped a backdoor into legitimate SolarWinds Orion software updates to gain access to networks for further action, like creating new accounts, collecting sensitive information or planting tools for future activity. Any organization that downloaded the compromised updates should take remediation steps, CISA said.

“If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk,” the document states. 

CISA recommends organizations should investigate whether they have ever operated affected SolarWinds Orion versions, as well as determine whether any managed service providers may have been compromised. 

Remediation will require cooperation and resources from the organization’s leadership team, and CISA urges organizations to “empower information security staff to take appropriate action” or turn to third-party support when organizations lack in-house expertise.

The agency also warns that any network asset monitored by SolarWinds Orion may need to be rebuilt. 

“This will be a resource-intensive, highly complex, and lengthy undertaking,” the guidance states. 

The agency launched a page, cisa.gov/supply-chain-compromise, collecting guidance, alerts, the agency’s emergency directive and some third-party resources. 

Palo Alto Networks’ Unit 42 researchers found command and control infrastructure was set up as early as August 2019, a month earlier than previous research had determined. The perpetrators—which Unit 42 dubbed SolarStorm—released the first modified SolarWinds software in October 2019 and built a related Cobalt Strike payload in December 2019. The technically inclined can read Unit 42’s brief on the incident here. 

Veterans Affairs Department officials canceled Congressional briefings on the hack and one lawmaker wants an update. Sen. Richard Blumenthal, D-Conn., in a letter to VA Secretary Robert Wilkie, asked a series of questions about the incident and for details about how the agency is protecting veterans’ health data: 

"Alarmingly, the VA has been described as ‘the biggest spender on [SolarWinds Orion products] in recent years,’ raising deep concerns about the extent of its exposure and the impact on the sensitive data it holds on millions of veterans. SolarWinds has repeatedly held out its work with VA as a model customer, in one press release stating it ‘helped the VA consolidate to a single enterprise-wide platform, implementing ten regional instances, putting everyone on the same page and giving consolidated visibility.’ In effect, SolarWinds’ statements raises [sic] the troubling prospect that the maliciously backdoored software was sitting at the heart of the VA, with unparalleled access to sensitive information."

Deterrence isn’t working in cyberspace, argues Sen. Angus King, I-Maine, in a Barron’s op-ed. The U.S. Cyberspace Solarium Commission co-chair calls for a national strategy that allows the U.S. to “impose consequences” on attackers through cyber and noncyber means, and a well-resourced U.S. Cyber Command that conducts and sometimes publicly claims offensive missions. He also called attention to various commission recommendations that made it into the still-unsigned National Defense Authorization Act. 

“[W]e need to make our enemies change their decision matrix and send a clear, unequivocal message to our enemies: If you hit us, we will hit back,” he wrote.