CSBS Issue Talking Points - March 2021

Solar Winds

Summary A sophisticated supply chain attack occurred through the compromise of SolarWinds’ IT monitoring and management products. The compromise of the SolarWinds Orion platform became public on Dec. 13, 2020, although it began at least as early as March. The affected versions of SolarWinds products were downloaded at several U.S. government agencies, critical infrastructure entities and private sector organizations; the breach impacted up to 18,000 client organizations, including at least eight government agencies and major firms like Microsoft. The threat actor has been identified as an Advanced Persistent Threat actor of Russian origin that has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. The attack appears to be an intelligence gathering effort. The threat actor compromised the SolarWinds Orion product by adding a malicious version of the software into the SolarWinds update cycle. FireEye has named this version SUNBURST. This software was modified to include malware and distributed between March and June 2020 as trusted software updates from the company. The following SolarWinds products were compromised and used as initial access vectors https://us- cert.cisa.gov/ncas/alerts/aa20-352a: o Orion Platform 2019.4 HF5, version 2019.4.5200.9083 o Orion Platform 2020.2.RC1, version 2020.2.100.12219 o Orion Platform 2020.2.RC2, version 2020.2.5200.12394 o Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 o Orion Platform 2020.2 HF1, version 2020.2.5300.12432 Why it Matters to State Regulators The Cybersecurity & Infrastructure Security Agency (CISA) has determined that this threat poses a grave risk to the federal government and state, local, tribal and territorial governments, as well as critical infrastructure entities and other private sector organizations. It is still unclear how much information was compromised, and we continue to learn details. CISA issued both Alert AA20-352a and an Emergency Directive for federal agencies with detailed mitigation steps. All Significant Service Providers (SSPs) are aware of the CISA Alert and Emergency Directive and reporting information to executive leadership. Communication to clients remains varied. To date, none of the SSPs have reported confirmed instances of unauthorized access, data exfiltration or command-and-control traffic indicative of malicious network activity but many continue to threat hunt as the incident continues to evolve. Talking Points Because information associated with this event is rapidly evolving, banks and service providers will be using their threat monitoring and risk assessment processes to continue to determine their impact and response. As bankers seek examiner advice, the following questions may be used (most are included in the resources below). • Is the bank following its threat monitoring processes , and is it aware of this recent APT activity? There are government resources identified below that provide relevant information, and more will be issued as the situation evolves. • Has the bank assessed risk to ascertain the impact to their organization? • Has the bank’s risk assessment extended to third-party service providers that connect to their systems?

FOR STATE REGULATOR USE ONLY