Guiding SLTTs Through the SolarWinds Supply Chain Attack

In December 2020, cybersecurity firm FireEye uncovered a sophisticated supply chain attack involving SolarWinds’ Orion platform. Threat actors later attributed to a nation state inserted a backdoor (SUNBURST) into legitimate software updates, enabling them to infiltrate networks of approximately 18,000 organizations, including U.S. federal agencies, state and local governments, and critical infrastructure providers.

The threat actors used advanced techniques, including randomized behaviors and multiple malware strains (SUNSPOT, TEARDROP, RAINDROP, and BEACON), to evade detection, move laterally across networks, and access sensitive data.

Learn about the details of this supply chain attack as well as how the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) guided U.S. State, Local, Tribal, and Territorial (SLTT) member organizations through it.

Network Compromises and Operation Disruptions

U.S. SLTTs experienced far-reaching consequences from the the SolarWinds supply chain attack.

• Compromised Public Sector Networks: U.S. SLTT entities using vulnerable versions of SolarWinds Orion experienced unauthorized access, data exfiltration, and potential service disruption.
• Operational Disruption: Some local governments needed to isolate or shut down their systems, divert IT staff to emergency response, and delay public services while investigating and remediating the effects of the breach.
• Cloud-Based Exploitation: Attackers moved from on-premises networks to Microsoft 365 environments, compromising email systems and identity services used by public agencies.
• Financial Strain: The cost of forensic analysis, patching, and system hardening placed a heavy burden on U.S. SLTTs, many of which lacked dedicated cybersecurity teams.
• Election System Risk: The breach highlighted vulnerabilities in election infrastructure, prompting urgent reviews of software supply chain security.

Sharing Resources During the Supply Chain Attack

The MS-ISAC was instrumental in guiding U.S. SLTTs through the security incident.

• Tiered Response Guidance: The MS-ISAC published a comprehensive playbook tailored to organizations with varying cybersecurity maturity. This included:
  • Isolation protocols for vulnerable systems
  • Patch recommendations
  • Threat detection tools and scripts
• 24x7x365 Support: The 24x7x365 Center for Internet Security^® (CIS^®) Security Operations Center (SOC) provided real-time assistance to MS-ISAC members, helping them:
  • Identify Indicators of Compromise (IOCs)
  • Coordinate incident response
  • Validate remediation steps
• Threat Intelligence Sharing: The MS-ISAC tracked multiple malware strains and shared IOCs with members, enabling proactive defense and containment.
• Cloud Hardening Resources: It distributed tools and guidance for securing Microsoft 365 and Azure environments, including scripts to detect identity-based attacks.
• Federal Coordination: The MS-ISAC worked closely with CISA, FBI, and DHS, ensuring U.S. SLTTs had access to national-level intelligence and remediation support.

Support the Essential Role of the MS-ISAC

The SolarWinds attack revealed how deeply embedded software vulnerabilities can compromise public infrastructure. It also demonstrated the essential role of the MS-ISAC:

• U.S. SLTTs often lack the internal capacity to respond to nation-state threats.
• The MS-ISAC provided free, expert-level support during one of the most complex cyber attacks in history.
• Without the MS-ISAC, many public institutions would have faced greater disruption, data loss, and long-term exposure from the SolarWinds supply chain attack.

As cyber threats grow more sophisticated, the MS-ISAC remains the only coordinated cybersecurity safety net for thousands of public sector organizations.

Ready to unlock the power of this cyber defense community?