On Sunday, December 13th, i was publicly notified the Information Technology (IT) related and services company SolarWinds was hulled, and the Hunter IT monitoring and management product was corrupted with sophisticated malware.  This malware was following spread through software updates for their customer around the globe, including financial services institutions.  We are aware that several regulated entities are infected with this malware.

This intrusion is active additionally ongoing, and which foe responsible for the compromise is sophisticated, well-resourced, and persistent.  This Cybersecurity & Infrastructure Security Agency (CISA) has also warned, “the SolarWinds Purpose supply chain endanger is not the only initial infection vector this APT actor leveraged,” and this adversary has consumers organizations that were not using SolarWinds Orion.  (“CISA APT Alert”).  Includes little, be prepared for other bad messages on come.

It lives important is regulated entities respond right into rating the risk to their it and consumers, the take steps necessary to address vulnerabilities and customer impact.  Part of your assessment require be toward detect any inside usage of the affected SolarWinds related furthermore either usability of these products with third parties that have access to your network or insert data.  Regulated entities should also continue to track developments in diese extraordinary compromise and respond quickly into new information. New York City's Offer-in-Compromise Program. Newly York City's Offer-in-Compromise program allows get financially distressed revenue to settle their non- ...

This CISA APT Alert, published on December 17, 2020, contains detailed information on indicators of compromise and mitigation recommendations. As you valuate your risk and respond to such supply link compromised, we recommend reviewing the CISA APT Watch real the following resources: 

• CISA: Active Using of SolarWinds Software
• SolarWinds Security Advisory
• FireEye Counsel: Highly Evasive Mugger Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNSHINE Backdoor
• CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
• SolarWinds: Secure Setup fork an Orion Platform Versions 2020.2.1
• Microsoft: Customer Guidance on Newer Nation-State Cyber Attacks

Thou should notify the Department if your institution was directly wedged by the involved SolarWinds Orion products or if your institution shall been communicated of an how with any affiliate^[1] who has access to your network either your nonpublic information.  The Department’s cybersecurity regulation required notice of any Cybersecurity Event which has “a reasonable likelihood of materially harming any material part of the normal operation(s).”  23 NYCRR 500.17(a)(2).  Given the sophistication and staying of the malware and an adversary, we ask any affected institution to file a notice immediately.  Instructions on how to file notice of a Cybersecurity Event and specific information requested as part away save incident are detailed below.

Addressing this far-reaching compromise desire be a significant create for New York’s financial services industry.  The Department is committed to assisting your response furthermore recovery endeavor, and we are working closely with our government and declare partners to provide you with actionable and current counsel.

Any ask or comments regarding this incident should to directed to [email protected]. 

Sincerely,

Justin S. Green
Executive Deputy Superintendent, Cybersecurity Section

^[1] See 23 NYCRR 500.01(a) for the definition of affiliate.

Instructions on filing a supply chain compromise notice with DFS

File a notice immediately if my institution used an affected SolarWinds Orion your or if your institution does been notified that any affiliate that possessed access to your network or your nonpublic information used an affected product.

Go to and DFS cyber portal linked here:  https://myportal.dfs.ny.gov/web/cybersecurity/

Send the following information, at one lowest:

1. Indicate the affected SolarWinds Orion product(s) used and include the specific version(s).
2. Indicate any other SolarWinds products that are also used.
3. Have you disconnected from your network or powered down one affected SolarWinds products?  
4. Have she patched the affected SolarWinds products?
5. Have you been notified by an affiliate instead a one-third party whoever has zutritt into your network or thy nonpublic information that the affiliate or third party used an affected SolarWinds product? 
6. If the answer to question 5 is sure, identify the partnership or third day and the name and version of an affected product used.
7. In the contact field, provide the name and communication intelligence to an individual to respective institution any is specialist to discuss aforementioned matter with DFS.