Share this article on:
A joint statement has been issued by the Federal Bureau of Investigation (FBI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) on behalf of the Trump Administration attributing the supply chain attack on SolarWinds Orion software to Russian threat actors.
Following the attack, the National Security Council created a task force known as the Cyber Unified Coordination Group (UCG) to investigate the breach, which consisted of the FBI, CISA, and ODNI, with support provided by the NSA. The task force is still investigating the scope of the data security incident but has announced that the attack was conducted by an Advanced Persistent Threat (APT) actor and was “likely Russian in origin.”
Evidence has been mounting that the SolarWinds software was compromised as part of an intelligence gathering operation run by Russia. While several media outlets have previously reported the security breach as being a Russia-led operation, and Secretary of State Mike Pompeo and former Attorney General Bill Barr both suggested Russia was behind the campaign, this is the first official public attribution issued by the Trump administration. President Trump had previously stated China may have been involved and has yet to comment on the attribution to Russia. Russia has denied any involvement in the attack.
The hackers compromised the software update feature of SolarWinds Orion software an incorporated a backdoor dubbed Sunburst/Solarigate which remote access the systems of organizations that downloaded the compromised software update. The investigation confirmed the operation has been active for nine months, during which time the systems of thousands of organizations were compromised. The hackers then picked targets of interest for further compromise. The second stage of the attack saw further malware delivered and the hackers attempt to gain access to victims’ cloud environments. Microsoft said gaining access to the cloud environments of victims was the primary goal of the attack.
The UCG believes the systems of around 18,000 public and private sector companies were breached via the SolarWinds Orion software update; however, a much smaller number experienced follow-on activity on their systems. Amazon and Microsoft have launched investigations in the security breach and have been examining their cloud environments for signs of compromise. Based on their evidence, it appears that the cloud environments of around 250 of the 18,000 victims were compromised. That figure may well rise as the investigation into the attack continues.
A further malware variant called Supernova – a web shell – has also been detected on the networks of some victims. This malware variant was delivered by exploiting a zero-day vulnerability in the SolarWinds Orion software and does not appear to have been delivered by the same threat actors.
Fewer than 10 U.S. government agencies had their systems breached. The Department of Justice is the most recent government agency to announce it was affected. While the hackers had access to its systems, the DOJ said the breach was limited to its Microsoft Office 365 email environment and only around 3% of its mailboxes were accessed. The DOJ said none of its classified systems appear to have been breached.