Skip to content
Longterm Wiki

CISA Advisory AA20-352A: Advanced Persistent Threat Compromise of Government Agencies via SolarWinds Supply Chain

web
CISA·cisa.gov/news-events/cybersecurity-advisories/aa20-352a

Credibility Rating

4/5
High(4)

High quality. Established institution or organization with editorial oversight and accountability.

Rating inherited from publication venue: CISA

This CISA advisory documents the SolarWinds supply chain compromise attributed to Russian SVR, illustrating how critical infrastructure and government systems can be compromised through software supply chains — a key concern for AI system deployment security and trustworthy AI infrastructure.

Metadata

Importance: 38/100guidance documentprimary source

Summary

CISA advisory documenting the SolarWinds Orion supply chain compromise by Russian SVR (APT), affecting U.S. government agencies, critical infrastructure, and private sector organizations beginning March 2020. The advisory details initial access vectors including trojanized SolarWinds DLLs and SAML token abuse, and characterizes the threat as a patient, well-resourced adversary. It was updated to formally attribute the activity to Russia's Foreign Intelligence Service.

Key Points

  • Russian SVR compromised SolarWinds Orion software supply chain, affecting multiple U.S. government agencies and critical infrastructure entities.
  • Attack involved trojanized DLL in SolarWinds Orion Platform versions 2019.4–2020.2, enabling stealthy long-duration network access.
  • Additional initial access vectors beyond SolarWinds identified, including abuse of SAML authentication tokens.
  • CISA issued Emergency Directive 21-01 ordering federal agencies to disconnect affected devices.
  • Adversary demonstrated advanced operational security, patience, and complex tradecraft, making remediation highly challenging.

Cited by 1 page

PageTypeQuality
AI Cyber Damage: Bounding the TailAnalysis--

1 FactBase fact citing this source

EntityPropertyValueAs Of
SolarWinds (2020)Incident DateMar 2020Dec 2020

Cached Content Preview

HTTP 200Fetched May 4, 202652 KB
Archived Content

 In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
 
 

 
 
 
 

 
 

 
 
 

 
 

 
 
 
 
 
 
 
 Cybersecurity Advisory 
 
 Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations 

 

 
 Last Revised April 15, 2021 

 

 
 Alert Code AA20-352A 

 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 Summary

 
 Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House. For more information on SolarWinds-related activity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise . 

 The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.

 ( Updated January 6, 2021 ): One of the initial access vectors for this activity is a supply chain compromise of a Dynamic Link Library (DLL) in the following SolarWinds Orion products (see Appendix A). Note : prior versions of this Alert included a single bullet that listed two platform versions for the same DLL. For clarity, the Alert now lists these platform versions that share the same DLL version number separately, as both are considered affected versions.

 
 Orion Platform 2019.4 HF5, version 2019.4.5200.9083

 Orion Platform 2020.2 RC1, version 2020.2.100.12219

 Orion Platform 2020.2 RC2, version 2020.2.5200.12394

 Orion Platform 2020.2, version 2020.2.5300.12432

 Orion Platform 2020.2 HF1, version 2020.2.5300.12432

 
 Note ( updated January 6, 2021 ): CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section). Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs). CISA will update this Alert as new information becomes available. Refer to CISA.gov/supply-chain-compromise for additional resources.

 ( Updated January 6, 2021 ): On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise , ordering federal 

... (truncated, 52 KB total)
Resource ID: 44641f4cd251731b | Stable ID: sid_yDrLtINgYg