Feds: SolarWinds Breach Is Likely Russian Intel Gathering Effort

Nearly ten U.S. government agencies experienced follow-on activity on their systems after being compromised through a malicious SolarWinds Orion update, the Cyber Unified Coordination Group says.

A Russian Advanced Persistent Threat group is likely behind the recent cyberattacks on government and non-government networks for intelligence gathering purposes, according to federal officials.

The Cyber Unified Coordination Group (UCG) announced Tuesday that nearly ten U.S. government agencies experienced follow-on activity on their systems after being compromised through a malicious update to their SolarWinds Orion network monitoring platform. The UCG said it’s also working to identify and notify the nongovernment entities that experienced follow-on activity on their systems.

“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the UCG said in a joint statement. “We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

[Related: SolarWinds Hit With Class-Action Lawsuit Alleging Securities Violations]

Official attribution of the SolarWinds attack to Russia is consistent with most previous statements by federal officials as well as media reports. The Washington Post on Dec. 13 became the first entity to attribute the campaign to hackers affiliated with the Russian foreign intelligence service, also known as APT29 or Cozy Bear.

Then on Dec. 15, U.S. Sen. Richard Blumenthal, D-Conn., backed the Post’s claims, tweeting “Stunning. Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared.” Three days later, Secretary of State Mike Pompeo became the first Trump administration official to blame Russia, stating “we can say pretty clearly that it was the Russians that engaged in this activity.”

A notable dissent around attribution came from President Donald Trump, who in a Dec. 19 tweet played down the attack and shifted blame to China. “Russia, Russia, Russia is the priority chant when anything happens because Lamestream [Media] is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),” Trump tweeted in his first public remarks on the breach.

Moreover, the UCG’s assertion that the recent cyber compromises were part of an intelligence gathering effort is consistent with previous campaigns carried out by APT29. The Washington Post said that APT29 hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers.

Prior to the SolarWinds hack, APT29 was most famous for hacking the State Department and White House hacks during the Obama years. APT29 also compromised the Democratic National Committee servers in 2015 but didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, The Post said.

The Russian foreign ministry on Dec. 13 described allegations of its involvement in the hack as another unfounded attempt by the U.S. media to blame Russia for cyberattacks against U.S. agencies. “Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian embassy to the U.S. wrote on Facebook.

The UCG task force was stood up by National Security Council staff to coordinate the investigation and remediation of the cyberattack on federal government networks. The task force is compromised of the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA).

The FBI’s investigation is focused on identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with government and private sector partners, the UCG said. CISA is the lead agency for asset response and is working to understand the extent of this campaign as well as the level of exploitation, according to the UCG.

ODNI, meanwhile, is coordinating intelligence collection activities to address knowledge gaps and drive United States Government mitigation and response effort, the UCG said. And the NSA is focused on assessing the scale and scope of the incident as well as providing technical mitigation measures, according to the UCG.

“Since its initial discovery, the UCG … as well as our private sector partners have been working non-stop,” the UCG said Tuesday. “These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people.”