- Federal authorities are investigating a cyber breach by a suspected nation-state that targeted government agencies and is linked to a potential vulnerability that emerged during an update of SolarWinds Orion monitoring software during the spring of 2020. Reuters is attributing the attack to Russia, which has denied the allegations.
- The Cybersecurity and Infrastructure Agency issued an emergency directive Sunday calling on all federal civilian agencies to review their networks for evidence of compromise and to disconnect or power off SolarWinds Orion products immediately. The directive comes after the Department of Commerce confirmed a breach hit one if its bureaus, and has asked the FBI and CISA to investigate. The Department of Treasury was breached, according to Reuters reports, however a spokesperson for the agency did not immediately respond to a query.
- SolarWinds confirmed it is aware of a potential vulnerability that may be related to updates released between March and June of its Orion monitoring products. The vulnerability is believed to be the result of a "highly sophisticated, targeted and manual supply chain attack by a nation state," the company said.
SolarWinds, network performance and systems monitoring software provider, has more than 300,000 customers worldwide, including more than 425 of the U.S. Fortune 500 companies, according to the company. It is not immediately known how many customers rely on SolarWinds Orion.
SolarWinds is working with FireEye, the FBI, the intelligence community and other law enforcement agencies to investigate the attacks. The company said it is limited in what it can share at this time.
FireEye said it was aware of a global intrusion campaign that trojanized SolarWinds Orion business software updates to distribute malware that it calls SUNBURST, the company said Sunday. The campaign has impacted public and private institutions around the world, and the attackers have used multiple techniques to evade detection.
"The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors," FireEye CEO Kevin Mandia wrote in a separate blogpost released Sunday.
FireEye released signatures on GitHub that can be used to detect the supply chain attack in the wild.
"We have been working closely with our agency partners regarding recently discovered activity on government networks," a CISA spokesperson said in a statement. "CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises."
The FBI confirmed that it was aware of the alleged hacking, and said it was "appropriately engaged" but declined to comment further.