U.S. agencies say Russia ‘likely’ behind SolarWinds compromise

Four American intelligence and law enforcement agencies say the odds are Russia was behind the hack of SolarWinds’ Orion network management platform that led to the compromise of an unknown number of government and private sector organizations around the world.

In a joint statement Tuesday, the Office of the Director of National Intelligence, the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said an advanced persistent threat (APT) actor, “likely Russian in origin,” is responsible for most or all of the recently discovered and ongoing cyber compromises of both government and non-governmental networks.

UPDATE: On April 15th the U.S. formally accused the Russian foreign intelligence agency  known as SVR (also called Cozy Bear and APT 29 by some researchers) of being behind the exploit. Canada, the U.K. and other countries joined the statement.

In an attempt to diffuse worries that the attackers may have placed malware that could in the future shut electrical utilities and other sensitive U.S. critical infrastructure, the statement also says that the attack appears to be, at the moment, an “intelligence-gathering effort” exclusively.

Related content:

Cloud deployments of Orion could put APIs at risk

“We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the statement read.

The four agencies were appointed to a Cyber Unified Coordination Group (UCG) to analyze the attack, which only became publicly-known when FireEye discovered last month that some of its Red Team tools for testing customer networks had been stolen. Upon investigation, FireEye realized the vehicle for the theft was an infected deployment of Orion that allowed the installation of a backdoor. Orion had been compromised through altered security updates that were downloaded by about 18,000 users.

The UCG has so far identified fewer than 10 U.S. government agencies that downloaded the updates, including the Treasury and Energy departments.

A ‘serious compromise’

“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement warned.

As the lead agency for threat response, the FBI is still trying to identify victim organizations, collect evidence and nail down attribution. CISA is focused on sharing information quickly with government departments and the private sector to understand the extent of the campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident. In an Emergency Directive posted December 14 CISA also ordered IT pros to either disconnect or power-down of affected SolarWinds Orion products from federal networks.

The NSA is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures.

In an email interview Ed Dubrovsky, managing partner of the Toronto-based incident response firm Cytelligence, noted the supply chain attacks are highly planned and take months if not years to bring to fruition.
“While many threat actors are focused on monetary gain, this attack was a long term approach to compromising numerous types of organizations. Monetary attacks are typically short in their “implementation phase” and involve a short reconnaissance phase identifying a possible attack vector and quickly move to implementing the attack, followed by an action e.g. encryption of file in order to push the victim to make a payment (such as a ransomware attack).
The Solarwinds compromise took years to infiltrate the SDLC (software development lifecycle) of the organization, but there must have been an objective even before this step and that objective was likely based on some intelligence collected that identified possible victim organizations as targets of interest.”
As for attribution, an attack that requires many resources and likely very specific access would certainly be contributed to a nation-state, he said.
“Russia as one of the leading countries typically seen behind many of the people involved in threat actor ransomware groups has developed a very advanced approach to cyberattacks and as such, the conclusion that Russia is likely behind the attacks is quite feasible. In my opinion, China, Iran and North Korea would have been other candidates, but they are likely lagging behind the Russian capabilities in this area.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now