"CISA: Disconnect Internet for 3-5 Days to Evict SolarWinds Hackers From Network"
The US Cybersecurity and Infrastructure Security Agency (CISA) has provided guidance to organizations impacted by the SolarWinds attack, which includes steps for evicting the attackers from compromised networks. The sophisticated cyberespionage campaign, attributed to Russian Foreign Intelligence Service (SVR) actors, affected many US government agencies, security vendors, and other different organizations. CISA's analysis report, AR21-134A, is tailored for federal agencies that used impacted versions of SolarWinds' Orion IT monitoring software and have discovered SolarWinds attacker activity in their environments. The report provides resource-intensive and highly complex steps that organizations should take to evict the adversaries from their compromised environments. These steps require disconnecting the enterprise network from the Internet for three to five days. The remediation plans outlined by CISA include steps to detect and identify adversary activity within the network, actions to remove the attacker from on-premises and cloud environments, and measures to ensure the success of the eviction operation. This article continues to discuss CISA's recently released eviction guidance for networks affected by the SolarWinds attack.