On Sunday, December 13th, it was publicly reported the Information Technology (IT) products and services company SolarWinds was hacked, and the Orion IT monitoring and management product was corrupted with sophisticated malware.  This malware was then spread through software updates to their customers around the globe, including financial services institutions.  We are aware that several regulated entities were infected with this malware.

This intrusion is active and ongoing, and the adversary responsible for the compromise is sophisticated, well-resourced, and persistent.  The Cybersecurity & Infrastructure Security Agency (CISA) has also advised, “the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” and this adversary has compromised organizations that were not using SolarWinds Orion.  (“CISA APT Alert”).  In short, be prepared for more bad news to come.

It is important that regulated entities respond immediately to assess the risk to their systems and consumers, and take steps necessary to address vulnerabilities and customer impact.  Part of your assessment should be to identify any internal usage of the affected SolarWinds products and any usage of these products by third parties that have access to your network or your data.  Regulated entities should also continue to track developments in this extraordinary compromise and respond quickly to new information.

The CISA APT Alert, published on December 17, 2020, contains detailed information on indicators of compromise and mitigation recommendations. As you assess your risk and respond to this supply chain compromise, we recommend reviewing the CISA APT Alert and the following resources: 

• CISA: Active Exploitation of SolarWinds Software
• SolarWinds Security Advisory
• FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
• CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
• SolarWinds: Secure Configuration for the Orion Platform Version 2020.2.1
• Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks

You should notify the Department if your institution was directly impacted by the affected SolarWinds Orion products or if your institution has been notified of an impact by any affiliate^[1] who has access to your network or your nonpublic information.  The Department’s cybersecurity regulation requires notice of any Cybersecurity Event that has “a reasonable likelihood of materially harming any material part of the normal operation(s).”  23 NYCRR 500.17(a)(2).  Given the sophistication and persistence of the malware and the adversary, we ask any affected institution to file a notice immediately.  Instructions on how to file notice of a Cybersecurity Event and specific information requested as part of this incident are detailed below.

Addressing this far-reaching compromise will be a significant challenge for New York’s financial services industry.  The Department is committed to assisting your response and recovery efforts, and we are working closely with our federal and state partners to provide you with actionable and timely guidance.

Any questions or comments regarding this incident should be directed to [email protected]. 

Sincerely,

Justin S. Herring
Executive Deputy Superintendent, Cybersecurity Division

^[1] See 23 NYCRR 500.01(a) for the definition of affiliate.

Instructions on filing a supply chain compromise notice with DFS

File a notice immediately if your institution used an affected SolarWinds Orion product or if your institution has been notified that any affiliate that has access to your network or your nonpublic information used an affected product.

Go to the DFS cyber portal linked here:  https://myportal.dfs.ny.gov/web/cybersecurity/

Submit the following information, at a minimum:

1. Indicate the affected SolarWinds Orion product(s) used and include the specific version(s).
2. Indicate any other SolarWinds products that are also used.
3. Have you disconnected from your network or powered down the affected SolarWinds products?  
4. Have you patched the affected SolarWinds products?
5. Have you been notified by an affiliate or a third party who has access to your network or your nonpublic information that the affiliate or third party used an affected SolarWinds product? 
6. If the answer to question 5 is yes, identify the affiliate or third party and the name and version of the affected product used.
7. In the contact field, provide the name and contact information of an individual at your institution who is qualified to discuss this matter with DFS.