CISA is now publicly admitting to the severity and ongoing difficulty in getting the hackers out of systems. This is not simply shut down/patch solarwinds and be home free, but is an advanced and
persistent threat. This deep level intrusion can't be easily rooted out (if you were even a moderately high priority target that was exploited).
"CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations."
CISA is aware of compromises of US government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat actor beginning in at least March 2020.
us-cert.cisa.gov
Compromise Mitigations
If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.
Operational Security
Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.