US intelligence confirms actor 'likely Russian in origin' behind the SolarWinds hacking campaign
The operation appears to be an intelligence gathering effort, rather than an act of cyber warfare, agencies say
US intelligence task force investigating the massive hacking campaign which compromised the networks of several government agencies believe that the cyber actor behind the operation was "likely Russian in origin" and that the "serious compromise" will require "a sustained and dedicated effort to remediate".
In a joint statement issued on Tuesday, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) said that the hacking operation appears to be an intelligence gathering effort, rather than an act of cyber warfare.
The intelligence agencies added that they were taking all necessary steps to respond accordingly.
The security breach, which used compromised SolarWinds software to intrude on users' networks, was discovered last month. After the discovery the National Security Council (NSC) staff set up a task force known as the Cyber Unified Coordination Group (UCG) to coordinate the investigation and to deal with the incident.
The UGC, composed of officials from the FBI, CISA, ODNI and the NSA, stated that "of the approximately 18,000 affected public and private sector customers of SolarWinds' Orion product, a much smaller number have been compromised by follow-on activity on their systems".
The intelligence agencies have so far identified "fewer than ten" US government agencies that were compromised in the cyber campaign. The officials said that they are also working to identify the private sector firms that have been affected in this campaign.
The FBI is currently working to identify victims, collect evidence, determine further attribution, and "sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defence," the statement says.
The cyber intrusion, which sent shockwaves across the US and around the world, was disclosed last month after several media outlets claimed that the networks of US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA) were compromised in a massive cyber campaign.
Russian threat group Cozy Bear was named as a probable perpetrator but this is the first time the authorities have officially named Russia. In December, President Trump claimed that China was behind the attack.
The US government later confirmed reports about the intrusion, stating that hackers backed by a foreign government were able to breach the computer networks of the US Treasury Department and an agency within the Commerce Department.
Cyber security firm FireEye claimed that the attackers had compromised SolarWinds' network monitoring software Orion by: "Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim's environment".
SolarWinds later claimed that fewer than 18,000 of its customers had likely downloaded the compromised software update.
On 31st December, Microsoft disclosed that an internal investigation into the incident had found that hackers were also able to access Microsoft's source code in a number of source code repositories.
The company, however, asserted that hackers could not make any changes to the code, and had not used any of Microsoft's machines to launch attacks against other organisations.