Federal intelligence agencies in the United States have publicly stated that the hacking of a SolarWinds update server to infiltrate enterprise networks worldwide was likely the work of a Russian-origin APT group.
While the agencies have shirked from naming any particular APT group, the Cyber Unified Coordination Group (UCG), composed of the FBI, the NSA, the CISA, and the Office of the Director of National Intelligence (ODNI), is presently investigating the SolarWinds hack and working to secure affected organisations that include a number of US government departments.
During the course of their investigation, the agencies noted that even though approximately 18,000 organisations worldwide had installed the trojanised software update issued by SolarWinds, hackers chose to exploit the opportunity to infiltrate the networks of very few organisations that included fewer than ten U.S. government agencies. This made the agencies believe that the hacking operation was principally an intelligence-gathering effort.
Nevertheless, the intelligence agencies are leaving no stone unturned to fully investigate the hacking attack, collect evidence, analyse the evidence to determine further attribution, identify the victims, and work with affected government and private organisations to speed up mitigation efforts.
"This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the United States Government, as well as our private sector partners have been working non-stop. These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people," the Cyber Unified Coordination Group said.
"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was and continues to be, an intelligence-gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.
"The UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that evidence is preserved and collected. Additional information, including indicators of compromise, will be made public as they become available," it added.
Organisations that installed the trojanised software update to the SolarWinds Orion platform can accelerate their mitigation and remediation efforts by using a suspicious activity detection tool issued by the Cybersecurity and Infrastructure Security Agency (CISA). They can also refer to a set of recommendations issued by the FBI and also go through guidance from the UK's National Cyber Security Centre.
The need for a coordinated global response to the SolarWinds hack was echoed by Microsoft's president Brad Smith who said the cyber attack was "a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them."
"It’s critical that we step back and assess the significance of these attacks in their full context. This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.
"In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under," Smith said.