Last week, details began to emerge about a major data breach at Solarwinds involving thousands of large companies across the globe. Another victim of this breach: the United States Federal Government. Reportedly, the software called Orion which is used in companies and governments around the world had malware inserted into an update file which was distributed to many of SolarWind’s customers.
FireEye employees spotted the potentially malicious activity on their networks and quickly moved to notify the authorities and SolarWinds to which they believe the attack was coming from. The identified malicious files came from an infected update file from SolarWinds which granted the foreign actors access to the network in ways previously very difficult to obtain.
Once the threat was known to impact the US Federal Government, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) released emergency advisories ordering the entire federal government who have SolarWinds Orion servers running to “shut them down immediately”. This was the first time such an order has ever been given and goes to speak for the serious and complicated nature of this attack.
Through threat intelligence and other intelligence gathering techniques, experts believe there is sufficient evidence which points to APT 29, who are Russian state-funded cyberspace actors. APT 29 are believed to be responsible for several other high-level cyber incidences. Such incidences as the spear phishing campaign against the Pentagon and utilization of zero-day vulnerabilities are common practice for these types of hacking groups who are liked to the Kremlin.
So far, the exact size and scale of this attack on thousands of organizations world-wide is unknown. And likely will be so for some time. However, due to the impact this threat has on organizations, if you are running the SolarWinds Orion software, it is advised that you shut down these servers immediately. There is information on potential remedies listed by DHS.
In the mean time, while we continue to follow this story, we want our customers to know that Midshore Technology Services does in fact use some SolarWinds products. However, these products are not know to be exploited at this time. We have taken multiple countermeasures proactively to ensure that our systems and by extension, your systems are safe and secure. As the situation develops, we will continue to adapt our operating procedures to continue providing the same level of due diligence and care for your networks as is expected of us.
We have taken the following steps to ensure our customers are safeguarded:
- All SolarWinds products have been updated with the latest encryption keys
- We have utilized the information provided by CISA and DHS to include signatures for the malware in our endpoint protection suite (installed on all managed customer PCs)
- Coordinate with the Federal Government to ensure we have the latest information and safeguards as they are made available
- Coordinate with SolarWinds and take actions as suggested by their incident response teams
We will continue to post updates as they come in.