CISA ordered all nonmilitary governmental systems running the Orion software to both stop running the software and, critically, disconnect these computers from the rest of the network by noon today. This is simply the first step in a remediation process through which the network administrators seek to restore operations.
But the attacker’s ability to ingrain itself in the network further amplifies the problem faced by those rebuilding the networks. If the SAML (a protocol for federated authentication) or Active Directory (a tool for managing a Windows network) server is affected, there is now the significant possibility that the attacker used the initial compromise to spread throughout the entire network.
Which means that more than a few networks are going to have to take drastic measures. To quote the movie Aliens: “Take off and nuke the entire site from orbit—it’s the only way to be sure.” That is, they will need to start from scratch by reinstalling systems and then re-adding authorized users, rather than trying to ensure that all attacker accounts were removed successfully.