If you don’t know about SolarWinds, then you haven’t been reading the news for the past six months. Last October 2020, it was reported that a widely-used networking tool that helps companies in the public and private sectors manage their Information Technology (IT) portfolios – SolarWinds Orion product — had been compromised. Publicly, it has been reported that about 18,000 private and government users downloaded the tainted software update, and it provided Russian hackers access to their systems. The hack hit Federal agencies, including the Departments of Treasury, Commerce, and State, the Department of Homeland Security (DHS), National Security Agency, and parts of the Pentagon, as well as public and private sector companies. The breadth and depth of this hack are still being assessed.
On December 13, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, Mitigate SolarWinds Orion Code Compromise. At that time it reported that the only known mitigation measure available was to disconnect or power down the SolarWinds Orion platform. The Emergency Directive advised readers to review the MITRE ATT&CK site to aid in identification of possible Advanced Persistent Threat (APT) tactics, including account manipulation, cloud credentialing, delegated email permissions, added global administrator roles, and so on. The Emergency Directive has been updated a number of times since that initial notice – December 18, 2020, December 30, 2020, and currently January 6, 2021. The current version of the Emergency Directive identifies a “malicious backdoor AKA TEARDROP or SUNBURST” and various Orion Platform versions affected by the hack. The current Emergency Directive also identifies follow up actions, including continuing to keep certain networks that ran the affected malware “and have evidence of follow-on threat actor activity” disconnected and to not rebuild or reimage the affected platforms and host operating systems pending consultation with CISA. This Emergency Directive also prohibits rejoining or joining the host operating system to the enterprise domain for those entities affected by the hack. Other Federal agency networks that did not use the platform or that only experienced “initial beaconing activity” and no follow-on activity are also required to take appropriate actions as specified by the Emergency Directive.
On March 3, 2021, the CISA issued a new Emergency Directive 21-02, Mitigate Microsoft Exchange On-Premises Product Vulnerabilities. This Emergency Directive identifies another incident involving active exploitation of vulnerabilities, this time involving Microsoft Exchange on-premises products. The Emergency Directive 21-02 advises that “Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.” It provides that agencies are to conduct a forensic analysis, disconnect where indication of compromise is detected, and report, as well as other actions. Agencies that do not have expertise to conduct these types of actions are required to immediately report the incident to CISA.
While these Emergency Directives are aimed at Federal agencies, they also provide insight into APTs targeting the public sector contracting community. Forewarned is forearmed. Maintaining sound cyber hygiene, developing a cyber threat incident response plan, keeping abreast of developments and emerging threats, and taking appropriate action swiftly are essential to a company’s continued security.
The American Bar Association (ABA) Public Contract Law Section in conjunction with the ABA Cybersecurity, Privacy and Data Protection Committee, SciTech Homeland Security Committee, and the ABA Cybersecurity Legal Task Force are hosting a webinar on March 5th, to discuss the implications of SolarWinds and its impact on the supply chain on March 5th.
If you have questions about this blog, or other government contracting questions, contact the author or your Stinson counsel.