Federal agencies that ran compromised SolarWinds Orion software must conduct a forensic analysis by the end of the month, according to new supplemental guidance from the Cybersecurity and Infrastructure Security Agency released Wednesday.
That analysis must look at system memory, host storage, network and third-party environments such as cloud services. Agencies must also hunt for indicators of compromise or “other evidence of threat actor activity” and create or update a CISA incident report accordingly.
In addition, agencies that “accept the risk of running SolarWinds Orion” must meet certain “hardening” requirements, depending on whether their networks ever utilized affected versions of the software. Those tasks would include either rebuilding the software infrastructure and resetting involved accounts, or updating to the latest version. The guidance offers 12 specific conditions for operating the SolarWinds software.
Even operating that updated version, however, carries risk.
“The adversary enjoyed longstanding, covert access to the build process that SolarWinds uses for Orion, including to the code underlying the Orion platform,” the guidance reads. “While the immediate known consequence of this access was the insertion of the malicious code into the affected versions of SolarWinds Orion, there may be other unknown consequences as well.”
Orion is a centralized IT management system that works with other SolarWinds network and infrastructure monitoring software, essentially providing a framework for the company’s other products. Users inadvertently introduced malware into their networks by updating the software between March and June of last year. Federal intelligence and law enforcement agencies said for the first time that the hacking was “likely Russian in origin” on Monday after a month of speculation.
CISA said it is “working closely with FedRAMP to coordinate the response to ED 21-01 with FedRAMP Authorized cloud service providers.” Those service providers have been instructed to coordinate with their agency customers.
This latest guidance supersedes the Emergency Directive (ED) 21-01 supplemental guidance version one issued on Dec. 18 and version two issued on Dec. 30.
At least eight agencies were victims of the attack, including the Department of Commerce, Department of Energy and Department of the Treasury.