CISA: Many victims of SolarWinds hackers had no direct connection to SolarWinds

The U.S. CISA reveals that many of the victims of the SolarWinds hackers had no direct connection to SolarWinds.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that many of the organizations targeted by SolarWinds hackers had not direct link to the supply chain attack.

“While the supply chain compromise of SolarWinds first highlighted the significance of this cyber incident, our response has identified the use of multiple additional initial infection vectors. We have found that significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds,” a CISA spokesperson told SecurityWeek.

“This is an ongoing response, and we are still working with our government and private sector partners to fully understand this campaign, and to develop and share timely information to mitigate the threat posed by this adversary,”

CISA’s acting director, Brandon Wales, told The Wall Street Journal that about a third of the victims were not using the Orion software.

According to Wales, some victims were compromised before the threat group started the supply chain attack.

“The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”” reported the WSJ.

Researchers from cybersecurity firm Volexity reported that SolarWinds hackers compromised a U.S. think tank several times, but they exploited the compromised SolarWinds supply chain in just one case.

In Mid-January, security firm Malwarebytes revealed that SolarWinds hackers also breached its systems and gained access to its email.

The intrusion took place last year, the company pointed out that hackers exploited another attack vector and did not use SolarWinds Orion software.

The intruders compromised some internal systems by exploiting a weakness in Azure Active Directory and abused malicious Office 365 applications.

“We continue to maintain that this is an espionage campaign designed for long-term intelligence collection,” Mr. Wales concluded. “That said, when you compromise an agency’s authentication infrastructure, there is a lot of damage you could do.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Orion software)

[adrotate banner=”5″]

[adrotate banner=”13″]