Government agencies, service providers and enterprises are being ordered to turn off or quarantine the Orion IT and networking monitoring software from SolarWinds after it was compromised by unknown hackers.
Texas-headquartered SolarWinds has admitted around 18,000 organisations globally downloaded the rogue software. And that it had been infected since this March when the pandemic took a grip.
It first came to light when SolarWinds customer cyber security vendor FireEye declared it had been the victim of a cyber attack - initially without publicly putting SolarWinds in the frame.
The software contains the tools to allow hackers to get into the networks of those organisations that had downloaded it, after the attackers initially breached the systems of SolarWinds to insert those tools.
The large majority of those affected by the attacks are in the US, but other companies in Europe are reportedly affected.
The Federal Bureau of Investigation, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Office of the Director of National Intelligence (ODNI) have joined forces to co-ordinate the US' response to the hacks.
They said: “This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government. The FBI is investigating and gathering intelligence in order to attribute, pursue and disrupt the responsible threat actors.
“CISA took immediate action [this week] and issued an Emergency Directive instructing federal civilian agencies to disconnect or power down affected SolarWinds Orion products from their network.”
The UK National Cyber Security Centre has issued the following guidance to organisations affected by the hack:
“SolarWinds Orion has been compromised and may be used for onward attacks against systems connected to the product. An attacker has been able to add a malicious, unauthorised modification to SolarWinds Orion products which allows them to send administrator-level commands to any affected installation.
“This modification causes the Orion products to connect to an attacker-controlled server to request instructions and does not rely on the attacker being able to directly connect from the internet to the Orion server.”
SolarWinds has told its customers to upgrade to the latest version of its software to help mitigate the issue.
National security agencies have so far not publicly apportioned blame to the source of the attack.