US government fingers Russia for SolarWinds-based cyberattack

A joint statement from the FBI, NSA, and other federal agencies says the cyber incident was likely Russian in origin.

moscowkremlinistock957923690aterrassi.jpg

Image: iStock/Aterrassi

The United States has pinned the blame on Russia for a devastating cyberattack campaign that has hit government agencies and corporations across the country.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic) 

To investigate the incident, the US has put together a task force known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA (the Cybersecurity and Infrastructure Security Agency), and ODNI (the Office of the Director of National Intelligence) with support from the NSA, the group said on Tuesday. The UCG is currently striving to understand the scope of the attack but has named the likely culprit.

In a joint statement, the agencies said that the work "indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks." Further, the group said it believes the incident was designed as an intelligence gathering effort, which means a surveillance operation aimed at finding confidential and sensitive information.

The alarm bells on this matter rang in December when security firm FireEye and other organizations revealed that key US government agencies were compromised by a foreign nation-state in a series of cyberattacks. The attackers took advantage of a vulnerability in the SolarWinds Orion networking monitor to hide malicious code in otherwise legitimate software updates. As a result, the hackers were able to monitor internal emails and other data at the targeted agencies and companies.

The latest conclusions from the UCG fall in line with those made by other officials as well as security experts and analysts. Several parties had already implicated Russia as the culprit, at least unofficially, saying that the attackers were from the APT29 (aka Cozy Bear) group, which is part of Russia's SVR foreign intelligence service.

"Several media outlets have reported that APT29, a Russian state-sponsored hacking group also known as Cozy Bear, was behind the SolarWinds campaign," Lior Div, CEO of security firm Cybereason, told TechRepublic in December. "This is not the first time we've seen the Russians using this method. For a supply chain attack of this nature, the amount of manpower and time needed to prepare and the accuracy required by the threat actors make it very difficult to achieve."

Even Secretary of State Mike Pompeo stated in an interview that it was pretty clear the Russians engaged in these cyberattacks. One of the few notable people to cast doubt on Russia as the source was outgoing President Donald Trump, who tweeted on Dec. 19 the idea that China may have been behind the attack. But Trump has long been reticent to criticize Russia or Russian president Vladimir Putin for any real or perceived threats to the United States.

In its statement, the UCG revealed more details on the attacks. Out of the approximately 18,000 government agencies and private sector companies that were affected by the breach, fewer than 10 agencies were compromised by follow-up activities. The group said that it's working to identify and notify any non-government organizations that may have been further targeted this way.

Each of the organizations in the UCG is playing its own role in the investigation and mitigation of this incident. The FBI is identifying victims, collecting and analyzing evidence, and sharing the results with the necessary parties. CISA is sharing information and issuing recommendations regarding the use of the Orion product and the proper secure measures.

ODNI is making sure the UCG has the most up-to-date information, while the NSA is providing intelligence, cybersecurity expertise, and guidance to other members of the group. But cleaning up after the mess will not be an easy task.

"The clean-up effort will take many months and will consume quite an amount of time and money," Dirk Schrader, global VP at security firm New Net Technologies, told TechRepublic.

"Organizations which have been using the SolarWinds Orion solution are best advised to assume that their networks and system have been infiltrated and will need to adopt to that," Schrader said. "Some highly sensitive areas might even require a clean sweep and a fresh install of every asset involved. Just rolling back to a safe version of Orion isn't enough, when you have to assume that foothold has been established and related traces removed. The near future will tell which organization has been serious about this task, and which one not."

Everyone involved in this matter from analyst to expert to the US government also agrees that this breach is a grave matter and one that will take time and effort to investigate and mitigate.

"This is a serious compromise that will require a sustained and dedicated effort to remediate," the UCG said in its statement. "Since its initial discovery, the UCG, including hardworking professionals across the United States government, as well as our private sector partners have been working non-stop. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people."

But are the government's efforts too little and too late?

"The government should have already had a rapid response coordinated unit with these capabilities years ago," Brandon Hoffman, chief information security officer at security firm NetEnrich, told TechRepublic. "Maybe they did and we are only finding out now, but if they didn't that seems appalling considering that is what's expected of private sector organizations for years."

"A parallel stream to the current triage should be an examination of why our defenses and other early warning systems failed so miserably," Hoffman added. "This should be considered a critical effort. While we are busy triaging there is most certainly additional or follow-on attempts by other adversaries across the globe. There's blood in the water and everybody smells it."

Also see