The United States Cybersecurity and Infrastructure Security Agency (CISA) has published guidance detailing the steps that organizations affected by the SolarWinds attack should take to ensure they evict the attackers from compromised environments.
The sophisticated cyberespionage campaign, which was brought to light in December 2020, abused SolarWinds’ Orion IT monitoring software for initial compromise, and affected multiple government agencies in the U.S., security vendors, and various other organizations.
In April, the U.S. attributed the attack to the Russian Foreign Intelligence Service (SVR), expelled 10 Russian diplomats, and announced sanctions against numerous entities.
Tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments (Category 3 agencies), the newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days.
“In order to have fully informed senior-level support, CISA recommends that agency senior leadership conduct planning sessions throughout this process to understand the resources needed and any potential disruption in business operations,” CISA said.
Critical infrastructure, government organizations, and private sector entities are encouraged to review and apply the guidance, to evict the attackers from the network and strengthen security.
Remediation plans detailed by CISA include actions to detect and identify adversary activity within the network, steps to remove the attacker from on-premises and cloud environments, and actions to ensure that the eviction operation was successful.
“Conducting each step in this guidance is necessary to fully evict the adversary from Category 3 networks. Failure to perform comprehensive and thorough remediation activity will expose enterprise networks and cloud environments to substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erosion of public trust in their networks,” CISA notes.
In addition to publishing the guidance, CISA made public Emergency Directive (ED) 21-01 Supplemental Direction v4, which was issued in April to all federal agencies affected by the SolarWinds compromise, and which asks agencies to disconnect affected SolarWinds Orion products and perform compromise detection and remediation operations.