By Tatiana Prophet

One week after a U.S. government cyber-security contractor announced their own ‘hacking’ tools had been stolen by a nation-level hacking operation, the U.S. Cyber Security and Infrastructure Security Agency has instructed all civilian government agencies to "identify and shut off instances of SolarWinds Orion software running or connected to any government system."

FireEye, the Silicon Valley cyber security firm, said hackers stole the tools they use to detect vulnerabilities in their clients. Apparently the hackers used these tools to inject malware into SolarWinds Orion software, used by hundreds of thousands of public and private clients around the world including in the United States.

Dominion Voting Systems, implemented in 28 U.S. states for the 2020 election, uses SolarWinds technology for at least one operation: a password-protected file sharing page. Internet sleuths posted links and screenshots of SolarWinds Worldwide LLC and logo at the bottom of a Dominion web page. By the end of the day the logo was removed but the link to SolarWinds’ Serv-U page was still there (click on Serv-U at bottom). And the Dominion-SolarWinds page can still be seen on the Internet Wayback Machine.

SolarWinds, begun in 2005, specializes in remote access networking. According to an advisory issued today, the company recently learned that their software was the victim of a malware infection.

CISA is the agency whose head, Christopher Krebs, announced that the 2020 election was the most secure in history, before being fired by President Donald Trump.

FireEye conducts cyber security for “more than 1,000 government and law enforcement agencies.”

Solarwinds’ international clients include U.K. National Health Service, European Parliament and NATO, according to its website. Yet Bloomberg in its headline today called SolarWinds an “obscure Texas IT vendor.”

According to FireEye CEO Kevin Mandia, the hackers were “a nation with top-tier offensive capabilities,” Bloomberg reported Dec. 9, adding that “a person familiar with the incident said “investigators believe hackers closely aligned with the Russian government were behind it.

CISA’s order states:
Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Additionally:

a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.

b. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.

As for SolarWinds, the company issued an advisory telling clients to install a software update ASAP.