CISA: Many victims of SolarWinds hackers had no direct connection to SolarWinds

The U.S. CISA reveals that many of the victims of the SolarWinds hackers had no direct connection to SolarWinds.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that many of the organizations targeted by SolarWinds hackers had not direct link to the supply chain attack.

“While the supply chain compromise of SolarWinds first highlighted the significance of this cyber incident, our response has identified the use of multiple additional initial infection vectors. We have found that significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds,” a CISA spokesperson told SecurityWeek.

“This is an ongoing response, and we are still working with our government and private sector partners to fully understand this campaign, and to develop and share timely information to mitigate the threat posed by this adversary,”

CISA’s acting director, Brandon Wales, told The Wall Street Journal that about a third of the victims were not using the Orion software.

According to Wales, some victims were compromised before the threat group started the supply chain attack.

“The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”” reported the WSJ.

Researchers from cybersecurity firm Volexity reported that SolarWinds hackers compromised a U.S. think tank several times, but they exploited the compromised SolarWinds supply chain in just one case.

In Mid-January, security firm Malwarebytes revealed that SolarWinds hackers also breached its systems and gained access to its email.

The intrusion took place last year, the company pointed out that hackers exploited another attack vector and did not use SolarWinds Orion software.

The intruders compromised some internal systems by exploiting a weakness in Azure Active Directory and abused malicious Office 365 applications.

“We continue to maintain that this is an espionage campaign designed for long-term intelligence collection,” Mr. Wales concluded. “That said, when you compromise an agency’s authentication infrastructure, there is a lot of damage you could do.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Orion software)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.