U.S. officials characterize SolarWinds hack as ‘intelligence gathering’ operation, ‘likely Russian in origin

February 16, 2021

The U.S. homeland security and intelligence community in a statement today said the massive SolarWinds hack of federal and private-sector networks appears to be part of an intelligence gathering operation by a Russian “advanced persistent threat actor.”

The U.S. government’s Cyber Unified Coordination Group, known as the UCG, “believes that, of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” according to a statement released today.

The UCG — activated by the National Security Council in light of the SolarWinds hack at the direction of President Trump — includes the FBI, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence. “The UCG is still working to understand the scope of the incident but has the following updates on its investigative and mitigation efforts,” the agencies said in the statement.

“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” according to the coordination group.

“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the group said. “Since its initial discovery, the UCG, including hardworking professionals across the United States Government, as well as our private sector partners have been working non-stop. These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people.”

The FBI investigation of the hack “is presently focused on four critical lines of effort: identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defense,” according to the statement.

CISA “is focused on sharing information quickly with our government and private sector partners as we work to understand the extent of this campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident.”

ODNI “is coordinating the Intelligence Community to ensure the UCG has the most up-to-date intelligence to drive United States Government mitigation and response activities. Further, as part of its information-sharing mission, ODNI is providing situational awareness for key stakeholders and coordinating intelligence collection activities to address knowledge gaps.”

The National Security Agency is supporting the effort. “NSA’s engagement with both the UCG and industry partners is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures,” according to the statement.

President-elect Biden in December called for attribution and a vigorous response to the hack. “We can’t let this go unanswered,” Biden said during a Dec. 22 press conference. “That means making clear and publicly who was responsible for the attack and taking meaningful steps to hold them in account.”

Larry Clinton, president and CEO of the Internet Security Alliance, in a blog post today cautioned policymakers that “the SolarWinds attack was different in kind from most previous high-profile attacks like Target, Sony or Equifax. Solar Winds was a systemic attack, meaning the goal wasn’t to breach a specific organization, it was to compromise the system — the SolarWinds software — that served multiple entities, both government and industry.”

Clinton wrote: “To defend against these attacks, we need to do far more than focus on the individual locations of the compromise or the specific individual who was in charge of the entity.” 

| Inside Cybersecurity January 5, 2021