Federal agencies were ordered to disconnect servers that may have been compromised during the months-long suspected Russian-hack of the Treasury and Commerce departments and scan their networks for “malicious actors,” the Department of Homeland Security said.
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation,” the DHS’ Cybersecurity and Infrastructure Security Agency said in a statement late Sunday.
It’s only the fifth emergency directive issued by CISA since 2015.
The intrusion into the Treasury and Commerce department systems, first reported by Reuters, is believed to be connected to a breach at US cybersecurity firm FireEye.
The hackers may have infiltrated the systems by piggybacking on SolarWinds, a server software used by scores of government agencies and a majority of Fortune 500 companies.
The directive warned that the “compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks.”
FireEye, according to the Associated Press, said its investigation into the hacking identified a “global campaign” that targeted governments and businesses in the private sector by inserting malware into SolarWinds updates beginning last spring.
The malware gave the hackers remote access to the compromised computer networks for months.
FireEye said it confirmed intrusions in North America, Europe, Asia and the Middle East.
SolarWinds said there was a “potential vulnerability” related to its updates between March and June for software products called Orion and is working with the FBI, FireEye and the US intelligence community, the AP reported.
“We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state,” SolarWinds CEO Kevin Thompson said in a statement.
The FBI is investigating whether a group connected to the Russian Foreign Intelligence Service, SVR, is behind the attacks, The Washington Post reported.
The cyberespionage group, known as APT29 and Cozy Bear, was behind the hacking of the State Department and White House in 2014 and the Democratic National Committee during the 2016 presidential election.
Kremlin spokesman Dmitry Peskov denied that Russia was involved.
“Once again, I can reject these accusations,” Peskov told reporters. “If for many months the Americans couldn’t do anything about it, then, probably, one shouldn’t unfoundedly blame the Russians for everything.”
This article first appeared in the New York Post.