- A federal intelligence agency task force investigating the massive SolarWinds hack says the attackers are an Advanced Persistent Threat group "likely Russian in origin," according to a statement Tuesday from The Cyber Unified Coordination Group (UCG).
- The group, which includes the Cybersecurity and Infrastructure Security Agency (CISA), FBI, Office of the Director of National Intelligence (ODNI), with support of the National Security Agency, says 18,000 government agencies and private sector companies were affected by the ongoing hack, but a much smaller number were "compromised by follow-on activity in their systems."
- Fewer than 10 government agencies found follow-on activity, according to the statement. The attackers used the SolarWinds Orion platform as a vector to access systems of top federal agencies and companies.
In the weeks following discovery of the hack, federal officials said the attack had the "hallmarks" of a Russian cyber intrusion, but Tuesday the recently formed UCG formally provided attribution to Russia.
The UCG serves as a response to private sector officials who wanted the administration to work more collaboratively on information and intelligence sharing that will help industry recover from the attack.
"The taskforce is groundbreaking and an optimistic indicator that the United States can mount a government approach to protect both industry and critical infrastructure," Eric Noonan, CEO at CyberSheath, said.
Such an effort on the part of these agencies has the potential to be "transformational" for the U.S., Noonan said, adding that he could not recall a time when there was this level of "coordination of these kinds of assets" in the cyber defense sector.
While SolarWinds notified about 33,000 Orion customers, CISA is balancing private sector confidentiality and data requests from DHS as the fallout continues.
DHS is among the agencies impacted by the cyber campaign, and CISA denied a DHS request for confidential data regarding SolarWinds and private companies, according to The Wall Street Journal. CISA feared the transaction would damage its relationship with private industry because companies enrust CISA with technical details of cyber incidents, which can include proprietary data.
CISA is the primary agency coordinating public and private cyber efforts. Until a National Cyber Director is appointed in the incoming Biden administration, CISA acts as the pseudo advocate for cross-sector collaboration.
The agency's role in the UCG is leader for asset response, working to share information with public and private sector partners and has created a free tool to help detect malicious activity related to the attack. CISA previously directed federal agencies to power down and disconnect from SolarWinds.
CISA's overall success is dependent upon its continued relationship with the private sector. Some security professionals feared former Director Chris Krebs' termination would fracture the relationship it created over the last couple of years.
However, Morgan Wright, chief security advisor at SentinelOne, is still looking for more transparency between the task force and the private sector. He asked whether the number of companies that were compromised is just under 18,000 or between 1,000 and 2,000. He also noted reports that at least three states were impacted by the attack.
The other agencies in the task force have unique roles.
The FBI is focused on four critical areas: identifying victims, gathering evidence, analyzing the evidence to determine further attribution and sharing results with public and private sector partners.
The ODNI is coordinating the intelligence agency response to the attack, providing the most up to date intelligence to the group and helping to provide situational awareness to key stakeholders.
The NSA is supporting UCG to provide intelligence, cybersecurity expertise and actionable guidance to the agencies and to the Department of Defense and Defense Industrial Base system owners.