Russia behind SolarWinds hack, intel agencies claim
Connecting state and local government leaders
According to a Jan. 5 statement from the Cyber Unified Coordination Group, “an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks."
Russia is the likely culprit of the widespread hack of U.S. networks, a White House task force concluded.
Since the attack, analysts and some administration officials have suggested a Russian intelligence service is behind the attack on SolarWinds' Orion product, but the Jan. 5 statement from the Cyber Unified Coordination Group -- which includes the FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence -- is the first time the federal government has explicitly attributed the attack to Russia.
"This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the statement reads.
The group also said it has identified fewer than 10 government agencies that were explicitly targeted by hackers with follow-on activity using the access provided by the SolarWinds breach.
The task force statement references an initial estimate by SolarWinds that said 18,000 "public and private sector customers" downloaded the malicious code implanted within the company’s update server for its Orion IT management software.
However, officials believe "a much smaller number have been compromised by follow-on activity on their systems" – and these include fewer than 10 government agencies. The group said it is also "working to identify and notify the nongovernment entities who also may be impacted."
Microsoft and cybersecurity firm FireEye last month estimated several dozen organizations were victimized by hackers beyond merely downloading the backdoor vulnerability discovered in SolarWinds Orion. The New York Times over the weekend the reported that intelligence officials now believe that 250 organizations may have been "affected."
In the wake of the ongoing breach, some lawmakers have suggested the hack was an act of war. Other lawmakers and analysts have pointed out merely breaching the government's systems is espionage, but does not constitute an act of war.
The government assessment is that the hack falls under the category of espionage.
"At this time, we believe this was, and continues to be, an intelligence gathering effort," the statement reads.
The statement also details the roles and responsibilities of the task force agencies, and notes that NSA is working with defense industrial base system owners to assess "the scale and scope of the incident" and provide mitigation assistance. No defense contractors have yet been identified as targets. Officials at the Departments of Defense, Treasury, Commerce and Homeland Security have confirmed that they were affected by the breach. Press reports have named other agencies including the State Department and the National Institutes of Health as targets.
President Donald Trump has previously suggested China was behind the hack. That claim was not mentioned in the task force statement.
This article was first posted to FCW, a sibling site to GCN.