{
	"id": "b3b116af-a1e8-4ff5-8e33-10c2e4cf2870",
	"created_at": "2026-04-10T03:21:21.112903Z",
	"updated_at": "2026-04-10T03:22:17.155949Z",
	"deleted_at": null,
	"sha1_hash": "f276cea3adfc47d38b0ac583ce3bb8f2a037c62c",
	"title": "Supply Chain Compromise | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49383,
	"plain_text": "Supply Chain Compromise | CISA\r\nPublished: 2021-01-07 · Archived: 2026-04-10 02:43:06 UTC\r\nCISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local\r\ngovernments, as well as critical infrastructure entities and other private sector organizations. An advanced\r\npersistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well\r\nas widespread abuse of commonly used authentication mechanisms. This threat actor has the resources, patience,\r\nand expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges\r\norganizations to prioritize measures to identify and address this threat.\r\nPursuant to Presidential Policy Directive (PPD) 41, CISA, the Federal Bureau of Investigation (FBI) and the\r\nOffice of the Director of National Intelligence (ODNI) have formed a Cyber Unified Coordination Group (UCG)\r\nto coordinate a whole-of-government response to this significant cyber incident.\r\nCISA also remains in regular contact with public and private sector stakeholders and international partners,\r\nproviding technical assistance upon request, and making information and resources available to help those\r\naffected to recover quickly from incidents related to this campaign.\r\nCISA encourages individuals and organizations to refer to the resources below for additional information on this\r\ncompromise. These resources provide information to help organizations detect and prevent this activity.\r\nCISA Hunt and Incident Response Program (CHIRP)\r\nCISA released the CISA Hunt and Incident Response Program (CHIRP), a forensics collection capability outlined\r\nin Activity Alert AA21-077A and available on CISA’s CHIRP GitHub repository . This capability was\r\ndeveloped to assist network defenders with detecting advanced persistent threat (APT) activity related to the\r\nSolarWinds and Active Directory/M365 compromise. The initial release of CHIRP scans for signs of APT\r\ncompromise within an on-premises environment to detect indicators of compromise (IOCs) associated with CISA\r\nAlerts AA20-352A and AA21-008A.\r\nEmergency Directive and Update\r\nOn January 6, 2021, CISA Released Supplemental Guidance on Emergency Directive 21-01 that requires (1)\r\nagencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running\r\nSolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2020.\r\nPress Releases\r\nJoint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security\r\nAgency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security\r\nAgency (NSA)\r\nhttps://www.cisa.gov/supply-chain-compromise\r\nPage 1 of 2\n\nOn behalf of President Trump, the National Security Council staff has stood up a task force\r\nconstruct known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and\r\nODNI with support from NSA, to coordinate the investigation and remediation of this significant\r\ncyber incident involving federal government networks. The UCG is still working to understand the\r\nscope of the incident but has the following updates on its investigative and mitigation efforts.\r\nJoint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security\r\nAgency (CISA), and the Office of the Director of National Intelligence (ODNI) \r\nThis Joint Statement announces establishment of a Cyber Unified Coordination Group (UCG).\r\nPursuant to Presidential Policy Directive (PPD) 41, FBI, CISA, and ODNI have formed a UCG to\r\ncoordinate a whole-of-government response to this significant cyber incident. The UCG is intended\r\nto unify the individual efforts of these agencies as they focus on their separate responsibilities.\r\nCISA Press Release: CISA Issues Emergency Directive to Mitigate the Compromise of SolarWinds Orion\r\nNetwork Management Products\r\nThis press release announces the CISA Emergency Directive 21-01 in response to the known\r\ncompromise involving SolarWinds Orion products. The ED calls on federal civilian agencies to\r\nreview their networks for IOCs and disconnect or power down SolarWinds Orion Products\r\nimmediately. This is the fifth Emergency Directive issued by CISA under the authorities granted by\r\nCongress in the Cybersecurity Act of 2015.\r\nPartner Products\r\nNSA Cybersecurity Advisory: Detecting Abuse of Authentication Mechanisms\r\nThis NSA cybersecurity advisory describes tactics, techniques, and procedures used by malicious\r\ncyber actors to access protected data in the cloud and provides guidance on defending against and\r\ndetecting such activity.\r\nSolarWinds Security Advisory\r\nThis SolarWinds advisory describes the cyberattack to their system that inserted the SUBURST\r\nvulnerability within the Orion Platform software builds, which, if present and activated, could\r\npotentially allow an attacker to compromise the server on which the Orion products run.\r\nFireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple\r\nGlobal Victims With SUNBURST Backdoor\r\nThis FireEye advisory addresses the supply chain attack trojanizing SolarWinds Orion Business\r\nsoftware updates in order to distribute malware referred to as “SUNBURST.”\r\nFireEye GitHub Page: Sunburst Countermeasures \r\nThe FireEye GitHub repository provides rules in multiple languages (Snort, Yara, IOC, ClamAV) to\r\ndetect the threat actor and supply chain attacks in the wild.\r\nAlerts and Guidance\r\nCISA's Alerts and Advisories provides more information about this and related cyber incidents. \r\nSource: https://www.cisa.gov/supply-chain-compromise\r\nhttps://www.cisa.gov/supply-chain-compromise\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cisa.gov/supply-chain-compromise"
	],
	"report_names": [
		"supply-chain-compromise"
	],
	"threat_actors": [],
	"ts_created_at": 1775791281,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f276cea3adfc47d38b0ac583ce3bb8f2a037c62c.pdf",
		"text": "https://archive.orkl.eu/f276cea3adfc47d38b0ac583ce3bb8f2a037c62c.txt",
		"img": "https://archive.orkl.eu/f276cea3adfc47d38b0ac583ce3bb8f2a037c62c.jpg"
	}
}