An attacker-modified update to SolarWinds Orion is likely not the only way Russian attackers infiltrated networks. US Cybersecurity and Infrastructure Security Agency: Attackers appear to have used other vectors of attacks. CISA: “We are investigating incidents in which activity indicating abuse of SAML (SAML) tokens consistent with this adversary’s behavior is present” The company says there is no evidence that its software has been used to establish a beachhead by attackers on vulnerable networks, noting it had patched the vulnerability on Dec. 3.”]
Source: https://www.darkreading.com/advanced-threats/nsa-cisa-warn-of-attacks-on-federated-authentication