Four American intelligence and law enforcement agencies say the odds are Russia was behind the hack of SolarWinds’ Orion network management platform that led to the compromise of an unknown number of government and private sector organizations around the world.
In a joint statement Tuesday, the Office of the Director of National Intelligence, the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said an advanced persistent threat (APT) actor, “likely Russian in origin,” is responsible for most or all of the recently discovered and ongoing cyber compromises of both government and non-governmental networks.
UPDATE: On April 15th the U.S. formally accused the Russian foreign intelligence agency known as SVR (also called Cozy Bear and APT 29 by some researchers) of being behind the exploit. Canada, the U.K. and other countries joined the statement.
In an attempt to diffuse worries that the attackers may have placed malware that could in the future shut electrical utilities and other sensitive U.S. critical infrastructure, the statement also says that the attack appears to be, at the moment, an “intelligence-gathering effort” exclusively.
“We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the statement read.
The four agencies were appointed to a Cyber Unified Coordination Group (UCG) to analyze the attack, which only became publicly-known when FireEye discovered last month that some of its Red Team tools for testing customer networks had been stolen. Upon investigation, FireEye realized the vehicle for the theft was an infected deployment of Orion that allowed the installation of a backdoor. Orion had been compromised through altered security updates that were downloaded by about 18,000 users.
The UCG has so far identified fewer than 10 U.S. government agencies that downloaded the updates, including the Treasury and Energy departments.
A ‘serious compromise’
“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement warned.
As the lead agency for threat response, the FBI is still trying to identify victim organizations, collect evidence and nail down attribution. CISA is focused on sharing information quickly with government departments and the private sector to understand the extent of the campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident. In an Emergency Directive posted December 14 CISA also ordered IT pros to either disconnect or power-down of affected SolarWinds Orion products from federal networks.
The NSA is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures.