Log in


EMERGENCY MANAGEMENT association OF TEXAS

  • Home
  • News
  • Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

18 Dec 2020 2:11 PM | Anonymous

Original release date: December 17, 2020

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.

One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A).

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.

On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. Note: this Activity Alert does not supersede the requirements of Emergency Directive 21-01 (ED-21-01) and does not represent formal guidance to federal agencies under ED 21-01.

CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B).

Key Takeaways

  • This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
  • The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
  • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
  • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.

Click here for a PDF version of this report.

For the full alert, visit:

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

About EMAT

The Emergency Management Association of Texas is dedicated to the advancement of the field of emergency management both statewide and nationally. To that end, EMAT engages in an array of efforts to advance a statewide emergency management agenda and to promote the professional growth of the emergency management practitioner.

Contacts

ematinfotx@gmail.com
Address:
2502 Pace Bend Road South
Spicewood, TX 78669


Copyright © 2009-2019 Emergency Management Association of Texas ®. All Rights Reserved.
Powered by Wild Apricot Membership Software