CISA Releases Eviction Guidance to Help Organizations Remove Russian State-Sponsored Threats from Compromised Networks


By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency

Today, CISA took an important step in our ongoing response to the cyber intrusion campaign impacting SolarWinds Orion and Microsoft Office365 environments: publishing Eviction Guidance to help organizations reduce the likelihood that a threat actor retains a foothold in their networks. In recent months, many public and private sector organizations have taken urgent steps to understand their exposure, undertake incident response activities, and implement mitigations. Recognizing the highly sophisticated and persistent nature of this adversary, attributed by the U.S. government to the Russian Foreign Intelligence Service (SVR), this Guidance is intended to provide an additional level of due diligence to secure impacted networks.

While this Eviction Guidance was originally developed to support federal agencies, CISA encourages any organization that may have been impacted by the SolarWinds and Active Directory/M365 compromise to consider implementing these steps across their applicable environments. Some organizations may find full implementation of this Guidance to be time-consuming or require third-party support. CISA strongly urges all potentially impacted organizations to invest the resources required to implement this Guidance and reduce the likelihood of prolonged adversary persistence. For additional guidance on addressing this particular threat, I encourage you to visit us-cert.cisa.gov/remediating-apt-compromised-networks and cisa.gov/supply-chain-compromise.

Responding to and recovering from the SolarWinds and Active Directory/M365 campaign continues to be a whole-of-government effort, and our work continues. We will continue to provide guidance, develop tools, and offer assistance to support organizations in managing complex cybersecurity risks. We will continue to work with individual agencies as they secure and modernize their networks, including by implementing President Biden’s Executive Order on Improving the Nation’s Cybersecurity. And we will expand our capabilities to detect, protect against, and respond to future intrusions.

To this end, we are urgently implementing new authorities to hunt for cybersecurity threats across federal civilian agencies, provide new and innovative shared services that raise the bar for government cybersecurity, and advance our capabilities to analyze security data in order to identify previously unknown threats. We are also using resources provided by Congress in the American Rescue Plan Act to build our expert and diverse cyber workforce, provide agencies with best-in-class commercial tools to protect their networks, and help agencies adopt leading security practices like zero-trust architectures. As cybersecurity threats continue to threaten and impact our government, our critical infrastructure, and businesses across the country, CISA remains focused on making urgent investments and building key partnerships to address this national risk.