ADVISORY: Contact IA if your unit uses SolarWinds software

Friday, December 18, 2020

This message is intended for U-M IT staff who are responsible for university devices and networks. It was sent to U-M IT staff groups via email on December 18, 2020.

Summary

A nation-state advanced persistent threat (APT) actor compromised the SolarWinds Orion platform. SolarWinds is a provider of IT and network monitoring and management tools. The compromise allowed the threat actor to place malware in SolarWinds update packages, which then led to compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations.

Contact ITS Information Assurance (IA) if you are running compromised SolarWinds software or need assistance in understanding whether you are. Send email to security@umich.edu.

Problem

The compromised versions of SolarWinds Orion allow threat actors to infiltrate IT systems, which puts organizations at risk for other malicious actions and activities. Information Technology Services (ITS) and Health Information Technology & Services do not use SolarWinds software products. ITS Information Assurance has identified some units running (currently) unaffected SolarWinds products, and one unit that was using the affected software.

Affected Versions

The SolarWinds Orion platform. The Cybersecurity and Infrastructure Security Agency (CISA) is investigating additional initial access vectors beyond the SolarWinds Orion platform.

Action Items

  • Contact IA (send email to security@umich.edu) if you may have been running compromised versions of SolarWinds.
  • If your unit uses SolarWinds software:
    • Check the lists of impacted software. See "Appendix A: Affected SolarWinds Orion Products" in the CISA alert for a list of impacted software.
  • If your unit uses or has used compromised versions of SolarWinds software:
    • Review the available information and examine systems for evidence of unauthorized access.

Threats

SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging.

How We Protect U-M

  • ITS Information Assurance (IA) has engaged with U-M units known to use SolarWinds software.
  • Please contact IA if your unit uses SolarWinds and you are not already working with IA on remediation.

Information for Users

SolarWinds Orion is networking software not typically used or managed by end users.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.