Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk’

U.S. Agency Says SolarWinds Orion Supply Chain Compromise is Not the Only Initial Infection Vector Leveraged by APT Actor 

U.S. Agency Says SolarWinds Orion Supply Chain Compromise is Not the Only Initial Infection Vector Leveraged by APT Actor 

The U.S. government on Thursday added a new wrinkle to the global emergency response to the SolarWinds software supply chain attack, warning there are “additional initial access vectors” that have not yet been documented.

As the incident response and threat hunting world focuses on the SolarWinds Orion products as the initial entry point for the attacks, the Cybersecurity and Infrastructure Security Agency (CISA) added a note to its advisory to warn of the new information.

“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” according to the updated advisory (PDF).

The agency did not provide additional details, but promised to update its communications as new information becomes available.

The agency also strengthened the language in its communications, describing the threat as posing “grave risk” to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.

The newly discovered attack, believed to be an espionage operation by a foreign state-backed actor, has hit multiple U.S. government agencies, critical infrastructure entities, and private sector organizations.

“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,” CISA noted.

The U.S. government has issued an emergency directive ordering federal civilian executive branch departments and agencies to disconnect affected devices.

Some additional highlights from the latest CISA warning include:

• The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.

• Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.

• Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.

Earlier today it was reported that a killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting SolarWinds and its customers. 

The victims of the supply chain attack include several U.S. government organizations and, according to FireEye, many organizations in the government, technology, consulting, extractive and telecom sectors in North America, Europe, the Middle East and Asia.

Symantec, which also analyzed the attack, said it had identified the trojanized software updates on over 2,000 computers at more than 100 customers.

Related: SolarWinds Removes Customer List From Site as It Releases Second Hotfix

Related: Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.