CISA: SolarWinds' Orion may not be only entry point for hackers

CISA's latest alert suggests hackers may have found other entry points into the federal government's networks than just the IT management software suite.

automated security (Alexander Supertramp/

The Cybersecurity and Infrastructure Security Agency today announced it has evidence suggesting hackers may have been able to breach federal networks through other means than just the SolarWinds Orion software suite.

"CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this alert as new information becomes available," according to the alert.

The agency also characterized the hack as a "grave risk" to federal, state and local governments as well private sector companies. CISA on Sunday night issued a rare emergency directive for all federal agencies to stop using SolarWinds Orion, but what has become clear this week is that hackers will likely reside inside the government's networks even if SolarWinds Orion is not being used any longer.

"The adversary has been observed using multiple persistence mechanisms across a variety of intrusions," the agency stated.

The cybersecurity agency also said the hacking campaign's activity means "discussions of findings and mitigations should be considered very sensitive."

"An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats," the alert continues.

In a joint statement yesterday with the FBI and the Director of National Intelligence, CISA said the FBI is leading the government's efforts to identify the individuals behind the attack. CISA's work is focused on assisting agencies and the private sector on recovering in the wake of the discovery.

Richard Bejtlich, principal security strategist at Corelight, said on Twitter that detecting the intrusion might be "the easiest step, as difficult as that is."

"If the adversary decides to fight to hold its territory, then response can be even tougher. It is possible to contest territory in cyberspace. Those who have engaged adversaries know that is true," he said.

On Capitol Hill, two House committees announced today they would begin investigating the incident. In a letter signed by the lawmakers, they note a briefing from CISA's acting director Brandon Wales told them it could take "weeks, if not months" to understand the full scope of the breach.

"While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devasting consequences for U.S. national security," the letter continues.

The letter was sent to the heads of ODNI, FBI and DHS and is signed by Reps. Bennie Thompson (D-Miss.), Lauren Underwood (D-Ill.), Carolyn Maloney (D-N.Y.) and Stephen Lynch (D-Mass.).

President-elect Joe Biden said today his team has been briefed on the attack and also suggested his administration would place importance on offensive operations.

"We will elevate cybersecurity as an imperative across the government....[b]ut a good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place," he said. Biden also promised to impose "substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners." He added: "Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation."