The massive SolarWinds hack that breached the U.S. government and thousands of other public and private customers is “likely Russian in origin,” according to a joint statement released by the FBI, the Office of the Director of National Intelligence, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency.
The agencies, which are supporting the National Security Council’s Cyber Unified Coordination Group task force, said on Tuesday that a likely Kremlin-backed advanced persistent threat actor “is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”
At this time, the agencies said in a statement that they “believe this was, and continues to be, an intelligence gathering effort,” and of the estimated 18,000 affected public and private sector customers of SolarWinds’ Orion products, “a much smaller number has been compromised by follow-on activity on their systems.”
“We have so far identified fewer than 10 U.S. government agencies that fall into this category and are working to identify the nongovernment entities who also may be impacted,” the agencies said.
“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement read, adding that “since its initial discovery,” the U.S. government and partners in the private sector have been working “non-stop,” including through the holidays, to get to the bottom of the cyberattack.
President Trump, who has refused to concede the November election to President-elect Joe Biden, tweeted last month that “Russia, Russia, Russia is the priority chant when anything happens” and that the hack “may” have been carried out by China. Secretary of State Mike Pompeo and now-former Attorney General William Barr both said in December that they believed the cyber campaign was likely carried out by the Russians.
The cyber task force said Tuesday that the FBI was the “lead agency for threat response” and is focused on “identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners.” CISA, the “lead agency for threat response,” is “focused on sharing information quickly with our government and private sector partners as we work to understand the extent of this campaign and the level of exploitation” and “has also created a free tool for detecting unusual and potentially malicious activity related to this incident,” the statement read. ODNI, which oversees the nation’s 17 spy agencies, is “coordinating the Intelligence Community to ensure the UCG has the most up-to-date intelligence to drive U. S. government mitigation and response activities.” And the NSA is “providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners, as well as National Security Systems, Department of Defense, and Defense Industrial Base system owners” while “assessing the scale and scope of the incident, as well as providing technical mitigation measures.”
In December, SolarWinds acknowledged its systems had been compromised by hackers who infiltrated the company’s Orion software updates in order to distribute malware to its customers’ computers. The U.S. network-management company said roughly 18,000 of its customers were affected. Before the customers were removed from the company website, it boasted of its 300,000 customers, including “more than 425 of the US Fortune 500,” the 10 biggest telecommunications companies in the United States, “all five branches” of the U.S. military, and a number of different government agencies — including the State Department, the National Security Agency, the Justice Department, and the Office of the President.
FireEye, a cybersecurity firm that works with government agencies to expose and fight foreign cyberattacks, reported that it discovered a “highly evasive attacker” infiltrated SolarWinds’s Orion software updates and also announced in early December that it had itself also been hacked.
The SolarWinds hack hearkens back to Russia’s large-scale hacking of the State Department in 2014. Actors affiliated with Russian military intelligence were also named by the U.S. as being responsible for the hacking of the Democratic National Committee’s email systems in 2016.
