CISA issues rare emergency directive after suspected Russian hacking campaign

The Cybersecurity and Infrastructure Security Agency (CISA) issued an "emergency directive" late Sunday requiring all federal civilian agencies to review their networks and immediately disconnect SolarWinds Orion software products, following a suspected Russian hack on the Treasury and Commerce Department.

Why it matters: It's only the fifth time since 2015 that the Department of Homeland Security has issued such a directive, per AP, underscoring the concerns officials have about an operation that one cybersecurity expert warned could turn out to be "one of the most impactful espionage campaigns on record."

The big picture: News of the hack came less than week after cybersecurity company FireEye revealed that nation-state hackers had penetrated its network and stolen its hacking its tools.

• The Washington Post reported that the Russian hacking group APT29, also known as Cozy Bear and believed to have ties to Russia's Foreign Intelligence Service (SVR), is behind the campaign.
• SolarWinds, the company whose software is believed to have been compromised, says it has 300,000 customers worldwide, including "all five branches of the U.S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice and the White House," per AP.

What they're saying: "Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations," FireEye wrote in a blog post.

• "Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.

Worth noting: President Trump fired the previous director of CISA, Christopher Krebs, last month after Krebs undermined him by calling the U.S. election "the most secure in American history."