Alert - Advanced Persistent Threat Compromises (CISA)

Number: AL20-030
Date: 17 December 2020

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients.  The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

CISA has issued an Alert containing new information with regard to the SolarWinds supply chain compromise.

DETAILS

On 17 December 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the United States’ agency responsible for protecting its critical infrastructure from physical and cyber threats, produced an in-depth report on recent activity impacting US government agencies, critical infrastructure and private sector organizations. [1] This activity is a result of the recently-disclosed SolarWinds supply chain compromise, for which the Cyber Centre issued Alert AL20-029 on 14 December 2020. [2][3] The CISA report is a summary of the incidents including information regarding affected Orion products, mitigation advice, and indicators of compromise to aid in detection. CISA has provided the following key takeaways:

  • This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
  • The SolarWinds Orion supply chain compromise is not the only initial infection vector the actor leveraged.
  • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
  • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.

The CISA Alert (AA20-352A) can be found at:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).

REFERENCES

[1] CISA Alert AA20-352A
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

[2] SolarWinds Security Advisory
https://www.solarwinds.com/securityadvisory

[3] Cyber Centre Alert AL20-029:
https://cyber.gc.ca/en/alerts/solarwinds-security-incident

NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: