The top U.S. cybersecurity agency late Sunday issued an emergency directive calling on all federal civilian agencies to review their networks and disconnect from any SolarWinds systems after it was revealed that foreign hackers breached the third-party software provider and accessed some government networks.
The Treasury Department and the Commerce Department’s National Telecommunications and Information Administration are said to have fallen victim to intrusions as a result of the breach of SolarWinds, an Austin, Texas-based IT provider.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA).
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation,” Wales continued.
The directive is only the fifth that CISA, an agency within the Department of Homeland Security, has issued since 2015. The agency said all federal agencies using SolarWinds products should report to CISA on the completion of the directive by noon Monday.
The directive states that CISA determined that the breach of SolarWinds poses an “unacceptable risk” to federal civilian agencies because of the “high potential” for compromise of federal information systems and the “grave impact” that a successful compromise would have.
The directive says that agencies should wait until CISA issues further guidance before using any patches under development by SolarWinds to reinstall the company’s Orion software, which was subject to the compromise.
The Washington Post and other outlets reported earlier Sunday that officials believe Russian government hackers, known as APT29 or Cozy Bear, were behind the breach of the Treasury and Commerce departments. The breach is believed to have lasted several months and affected victims across the globe.
The cybersecurity firm FireEye said Sunday that the hacking campaign may date back to as early as spring 2020 and resulted in hackers gaining access to various public and private organizations across the globe. FireEye, which was also breached, said the hackers attacked updates to SolarWinds’ Orion software.
“The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security,” FireEye wrote in a blog post, noting that the hacking campaign is ongoing. FireEye did not identify Russia as being behind the breach.
–Updated at 8:01 a.m.