Supply Chain Compromise


Alert: Updated - APT Compromise of Government Agencies. Critical Infrastructure, and Private Sector Organizations - CISA

 

CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations. An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges organizations to prioritize measures to identify and address this threat.

Pursuant to Presidential Policy Directive (PPD) 41, CISA, the Federal Bureau of Investigation (FBI) and the Office of the Director of National Intelligence (ODNI) have formed a Cyber Unified Coordination Group (UCG) to coordinate a whole-of-government response to this significant cyber incident.

CISA also remains in regular contact with public and private sector stakeholders and international partners, providing technical assistance upon request, and making information and resources available to help those affected to recover quickly from incidents related to this campaign.

CISA encourages individuals and organizations to refer to the resources below for additional information on this compromise. These resources provide information to help organizations detect and prevent this activity.

Emergency Directive and Updates

  • CISA Updates Supplemental Guidance on Emergency Directive 21-01
    • On January 6, 2021, CISA released supplemental guidance v3 that requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2020.
  • CISA Updates Supplemental Guidance on Emergency Directive 21-01 
    • On December 30, 2020, CISA released guidance to supplement the Emergency Directive (ED) 21-01 and Supplemental Guidance v1 issued on December 18, 2020. Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. 
  • CISA Supplemental Guidance on Emergency Directive 21-01
    • On December 18, 2020, CISA’s supplemental release provides additional guidance on the implementation of ED 21-01, to include an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions.
  • CISA Emergency Directive 21-01
    • On December 13, 2020 CISA determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. Multiple versions of SolarWinds Orion are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. Disconnecting affected devices, as described in Required Action 2 of the ED, is the only known mitigation measure currently available.

Press Releases

Alerts and Guidance

Partner Products

The information you have accessed or received is provided "as is" for informational purposes only.

DHS and CISA do not endorse any commercial product or service, including any subjects of analysis.
Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer,
or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by DHS or CISA.

Was this webpage helpful?  Yes  |  Somewhat  |  No