This message is intended for U-M IT staff who are responsible for university devices and networks. It was sent to U-M IT staff groups via email on December 18, 2020.
Summary
A nation-state advanced persistent threat (APT) actor compromised the SolarWinds Orion platform. SolarWinds is a provider of IT and network monitoring and management tools. The compromise allowed the threat actor to place malware in SolarWinds update packages, which then led to compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations.
Contact ITS Information Assurance (IA) if you are running compromised SolarWinds software or need assistance in understanding whether you are. Send email to security@umich.edu.
Problem
The compromised versions of SolarWinds Orion allow threat actors to infiltrate IT systems, which puts organizations at risk for other malicious actions and activities. Information Technology Services (ITS) and Health Information Technology & Services do not use SolarWinds software products. ITS Information Assurance has identified some units running (currently) unaffected SolarWinds products, and one unit that was using the affected software.
Affected Versions
The SolarWinds Orion platform. The Cybersecurity and Infrastructure Security Agency (CISA) is investigating additional initial access vectors beyond the SolarWinds Orion platform.
Action Items
- Contact IA (send email to security@umich.edu) if you may have been running compromised versions of SolarWinds.
- If your unit uses SolarWinds software:
- Check the lists of impacted software. See "Appendix A: Affected SolarWinds Orion Products" in the CISA alert for a list of impacted software.
- If your unit uses or has used compromised versions of SolarWinds software:
- Review the available information and examine systems for evidence of unauthorized access.
Threats
SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging.
Technical Details
Technical details are available in the alert published by CISA: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (Alert AA20-352A).
How We Protect U-M
- ITS Information Assurance (IA) has engaged with U-M units known to use SolarWinds software.
- Please contact IA if your unit uses SolarWinds and you are not already working with IA on remediation.
Information for Users
SolarWinds Orion is networking software not typically used or managed by end users.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
- Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, Alert AA20-352A (Cybersecurity and Infrastructure Security Agency (CISA), 12/17/20)
- US cybersecurity agency warns suspected Russian hacking campaign broader than previously believed (CNN Politics, 12/18/20)
- SolarWinds cyber attack is 'grave risk' to global security (Computer Weekly, 12/18/20)
- Microsoft president calls SolarWinds hack an "act of recklessness" (Ars Technica, 12/18/20)
- The Strategic Implications of SolarWinds (Lawfare, 12/18/20)
- Microsoft identifies more than 40 organizations targeted in massive cyber breach (CNN Politics, 12/17/20)
- The suspected Russian hack of the US government, explained (CNN Politics, 12/17/20)