The U.S. government has identified Russia as the “likely” culprit behind the widespread SolarWinds cyberattack that has so far affected multiple federal agencies and private-sector companies. Cyberespionage is cited as the motivation behind the attack, which the feds characterized as ongoing.
In a rare joint statement by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA), the agencies said a task force assigned to investigate the incident has found indications that Russia was behind the attack, something many government officials and security experts had already suspected.
“This work indicates that an advanced persistent threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” according to the statement, which did not provide the technical details behind the attribution. “At this time, we believe this was, and continues to be, an intelligence-gathering effort.”
The Departments of Homeland Security, Defense, Treasury and Commerce, the Pentagon, the National Institute of Health and others are known to have been attacked, along with Microsoft.
“The Cold War isn’t over. It just moved to the internet,” said Saryu Nayyar, CEO at Gurucul, via email. “And the SolarWinds attack is a perfect example of a state or state-sponsored actor turning their resources to cyberattack. Unlike typical cybercriminals, these threats at this level have almost unlimited resources and will target virtually anything that may forward their agenda.”
She added, “It is likely the damage from this attack will run much deeper than is revealed to the public, but it may serve as a wakeup call that organizations and vendors at all levels need to up their cybersecurity game. They need to assess their current security posture and make sure they have the best possible components in place, including security analytics. The benefit is that designing defenses to blunt state-level attackers should be more than enough to thwart common cybercriminals.”
SolarWinds: A Supply-Chain Nightmare
Sunburst, a.k.a. Solorigate, is the malware used as the tip of the spear in the supply-chain campaign, in which adversaries were able to use SolarWinds’ Orion network management platform to infect targets. It was pushed out via trojanized product updates to almost 18,000 organizations around the globe, starting last March. With Sunburst embedded, the attackers have since been able to pick and choose which organizations to further penetrate and steal information from.
The government’s Cyber Unified Coordination Group (UCG) responsible for following up on the attack “is still working to understand the scope of the incident” and is taking the “necessary steps” to “respond accordingly,” the agencies said, while “working to identify and notify the nongovernment entities who also may be impacted.”
The first indications of the attack happened in early December, when cybersecurity firm FireEye was hit with a highly targeted cyberattack that stole the company’s red teams assessment tools used to test its customers’ security.
Several days later, the DHS and the Treasury and Commerce department were the first of the government agencies to identify an attack related to the FireEye compromise that was pinned at the time on unidentified foreign adversaries. The scope of the effort continued to widen as more and more victims—including tech giant Microsoft, other federal agencies and related government contractors–were found to be affected.
Eventually, it was discovered that an attack vector leveraging the default password (“SolarWinds123”) of the SolarWinds platform gave attackers an open door into its software-updating mechanism. Combining that with SolarWinds’ deep visibility into customer networks became a “perfect storm” contributing to the widespread success of the attack, researchers said.
Indeed, federal agencies acknowledged that given the scope of the compromise, the effort to investigate and remediate the damage down will be a “sustained and dedicated effort” of both public and private security professionals across the country.
As for the ongoing investigation and response to the attack, the statement noted that the FBI is leading threat response; CISA is leading the asset response; and the ODNI is the lead for intelligence support and related activities. Meanwhile, the NSA is supporting the UCG by providing intelligence, cybersecurity expertise and actionable guidance, according to the statement.
“The UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that evidence is preserved and collected,” as well as will provide updates to the investigation as they are available, the agencies said.
SolarWinds meanwhile is facing a class-action lawsuit from its investors over the financial fallout for the company stemming from the attack and its poor cybersecurity posture in using an easy-to-guess default password.
- Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
- Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
- Nuclear Weapons Agency Hacked in Widening Cyberattack
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries
- FireEye Cyberattack Compromises Red-Team Security Tools
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!