Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.Īffected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Analyze for new user or service accounts, privileged or otherwise.ī. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Agencies without this capability shall proceed to Action 2.Ī. This emergency directive requires the following actions:Īgencies that have the expertise to take the following actions immediately must do so before proceeding to Action 2. Please refer to the MITRE ATT&CK framework for possible tactics the threat actors are using to maintain persistence in the environment. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise. High potential for a compromise of agency information systems ĬISA understands that the vendor is working to provide updated software patches. This determination is based on:Ĭurrent exploitation of affected products and their widespread use to monitor traffic on major federal network systems Disconnecting affected devices, as described below in Required Action 2, is the only known mitigation measure currently available.ĬISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This tactic permits an attacker to gain access to network traffic management systems. SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. § 655(3).įederal agencies are required to comply with these directives. Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C.
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-01, “ Mitigate SolarWinds Orion Code Compromise”. See updated supplemental direction for the latest.ĭecemMitigate SolarWinds Orion Code Compromise For more information on SolarWinds-related activity, go to and. Additional information may be found in a statement from the White House. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).