Action Steps Surrounding SolarWinds Orion Compromise

The Department of Homeland Security recently published an alert regarding SolarWinds Orion products which has been exploited by malicious actors. 'This tactic permits an attacker to gain access to network traffic management systems'.

Organizations can proactively determine whether they are at greater risk for this specific type of infection. Here’s what you should do:

  1. Validate your version of SolarWinds Orion (affected versions are 2019.4 through 2020.2.1 HF1)
  2. Investigate for indicators of compromise as outlined in DHS Emergency Directive 21-01
    1. [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]
    2. [C:\WINDOWS\SysWOW64\netsetupsvc.dll]
  3. If any indicators are identified, forensically image the impacted system(s) and work to understand impacts and enact your incident response plan.

If you believe you are experiencing a security incident, call our incident response hotline immediately: (800) 403-8350.

GreyCastle Security can evaluate your infrastructure to proactively identify, classify, and remediate security threats which may otherwise go undetected. GreyCastle Security's Compromise Assessment will proactively identify and respond to a security incident. The Compromise Assessment will assess your environment to determine if threats are present or at imminent risk for a security incident.  To learn more about the GreyCastle Security Compromise Assessment, please send an email to