CISA Issues "Urgent Message" on Cyber Threat to Government and Businesses
On December 18, 2020, the Cybersecurity and Infrastructure Security Agency ("CISA") held an emergency briefing call, updating the emergency directive issued last weekend about a critical threat to government and private businesses.
On December 13, 2020, CISA issued an Emergency Directive and followed, on December 17, 2020, with Alert (AA20-352A) that reported a cyber attack on United States government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat ("APT") actor, beginning in at least March 2020. According to CISA, "[t]his APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions."
One of the initial attack vectors leverages a supply chain compromise of the SolarWinds Orion software suite. The software suite itself includes application monitoring and network configuration tools, which, if compromised, may allow the attacker to gain privileged access across a network. CISA thus ordered affected agencies of the United States government to "immediately disconnect or power down" two versions of SolarWinds Orion products from their networks. CISA emphasized that "removing this threat actor from compromised environments will be highly complex and challenging for organizations." The SolarWinds Orion supply chain compromise is not the only threat vector used by the APT actor.
On December 18, 2020, CISA held an emergency briefing call, during which the following key updates were discussed:
- The threat poses a grave risk to government agencies, critical infrastructure entities, and a variety of private sector organizations. The threat actor is extremely sophisticated and well-resourced.
- Organizations with suspected compromises need to be highly conscious of operational security.
- Any organizations that see indicators that the threat has been operationalized should retain an experienced third-party forensic vendor to assist them.
SolarWinds, CISA, and the cybersecurity industry are rapidly releasing intelligence and potential remedial countermeasures to this sophisticated and broad attack.
The attack highlights the need for potentially affected companies to promptly investigate and remediate. More broadly, it serves as a reminder of escalating cybersecurity risk as threat actors develop attack methods of increasing complexity and sophistication.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.