US names Russia as the likely perpetrator behind SolarWinds hack

The US government has made a formal accusation against Russia following the massive SolarWinds hack that came to light in mid-December last year. Four US agencies have also announced a joint task force “to coordinate the investigation and remediation of this significant cyber incident involving federal government networks”.

 

In the joint statement released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), the four agencies announced a new task force created specifically to investigate the SolarWinds hack, a cyber attack that has put US government agencies at risk. The task force, named Cyber Unified Coordination Group (UCG), is still investigating the incident but has come to the conclusion that the attacker is likely Russian in origin. The UCG believes the SolarWinds hack to be an intelligence-gathering effort.

“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was and continues to be, an intelligence-gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the joint statement reads.

The SolarWinds cyber attack came to light in December last year, when a private cybersecurity company FireEye released a statement disclosing that updates for a widely used Orion software contained malicious code. Orion, developed by SolarWinds, is an IT infrastructure management software that is used by approximately 33,000 entities, including US government agencies such as the Department of Homeland Security, US Department of State, the Department of Energy, the National Nuclear Security Administration, and the Treasury Department.

It is believed that the attack on SolarWinds occurred in early 2020, as malicious Orion updates started being pushed in March 2020. That means that malicious actors could have been in US government systems for months before being detected. Out of the 33,000, more than half of Orion customers installed the updates containing malicious code.

The statement released by the joint task force explains that of the 18,000 customers that installed the malicious update, only a small number have been “compromised by follow-on activity in their systems”. Fewer than 10 US government agencies are among those compromised.

“This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the United States Government, as well as our private sector partners have been working non-stop,” said the UCG.

Companies like Microsoft were also revealed to have been affected. The tech giant disclosed that while their production services or customer data were not compromised, it has detected activity that went beyond the presence of malicious SolarWinds code in its environment.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated,” Microsoft said in their own statement.

The US officially names Russia as the likely perpetrator

A statement released by the UCG

The news that Russia could be responsible for the SolarWinds cyber attack does not come as a surprise as that was the initial belief. However, the US government has avoided admitting officially that they believe Russia to be responsible. Current US President Donald Trump has even said that China may have been the one behind the attack.

“The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!). There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA,” the US President said in a tweet.

The cyberattack is still being investigated and the UCG will likely reveal more information in due time.