The National Cyber Security Council (NCSC) has pointed organisations possibly affected by an attack on the Orion monitoring network towards advice provided by the company, security specialist FireEye and Microsoft.
This follows a confirmation by Orion’s supplier SolarWinds last week that the network, widely used in the UK public sector, has been subject to a sophisticated supply chain attack that was likely conducted by an outside nation state.
It has recommended an upgrade to the latest Orion Platform version 2020.2.1 HF 1. It has also provided guidelines for a secure configuration of the platform if an upgrade is not immediately possible.
An NCSC spokesperson said: “The NCSC is working closely with FireEye and international partners on this incident.
“Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any U.K. impact.
“The NCSC recommends that organisations read FireEye’s update on their investigation and follow the company’s suggested security mitigations.”
State sponsored attack
FireEye highlighted the intrusion after the attackers gained access to its own network. Its latest response says it has identified a global campaign that introduces a compromise into the networks of public and private organisations through the software supply chain. This is delivered through updates to SolarWinds’ Orion infrastructure management software and demonstrates “top tier operational tradecraft and resourcing consistent with state sponsored threat actors”.
NCSC has also pointed organisations towards Microsoft’s statement, which says it has been looking for indicators of an attack in its environment but to date has not found any evidence.
SolarWinds lists a range of UK public sector agencies among its clients, including several NHS trusts, the Cabinet Office, the Ministry of Justice, HM Government Communications Centre and Royal Air Force, Defence Equipment and Support.
Responding to concerns about the possible effects on the health service, a spokesperson for NHS Digital said: “SolarWinds' widely used Orion IT platform has been the subject of a supply chain compromise by an unidentified source. We have issued a high severity alert to the NHS which explains the action to take to mitigate this threat and we urge organisations to read and follow these instructions promptly.”
Image from iStock, solarseven