Since December 2020, CISA has been responding to a significant cybersecurity incident in which an advanced persistent threat (APT) actor gained initial access to enterprise networks of U.S. government agencies, critical infrastructure entities, and private sector organizations. The APT actor only targeted a select group of organizations affected by the SolarWinds Orion compromise for follow-on network exploitation. Additionally, the APT actor used techniques other than the supply chain compromise to access targeted networks. After gaining persistent, invasive access to select organizations’ enterprise networks, the APT actor targeted their federated identity solutions and their Active Directory/M365 environments. This CISA Insights will help executive leaders of affected entities understand and be able to articulate the threat, risk, and associated actions their organizations should take.
For additional details, see CISA websites, https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks and https://www.cisa.gov/supply-chain-compromise.