This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A).
Note (updated December 18, 2020): CISA has evidence of initial access vectors other than the SolarWinds Orion platform. We are investigating incidents in which activity indicating abuse of SAML tokens is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs. CISA will update this Alert as new information becomes available.
On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. Note: this Activity Alert does not supersede the requirements of Emergency Directive 21-01 (ED-21-01) and does not represent formal guidance to federal agencies under ED 21-01.
CISA has determined that this threat poses a grave risk t ..
Support the originator by clicking the read the rest link below.
