The U.S. government appears to be officially blaming Russia for the expansive and damaging SolarWinds hack, which it says was “likely” an “intelligence gathering” effort on the part of a hacker group connected to the Kremlin.
The announcement came Tuesday in a joint statement issued by multiple security agencies, including the FBI, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI). Until today, there was rampant speculation that Russia was behind the single biggest hack America has ever seen, though no official confirmation.
Authorities appeared to confirm what many had already hypothesized: that “an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.” The government did not specify which APT was behind the hack, though earlier reports from the Washington Post and other outlets have alleged that the party responsible was APT 29, otherwise known as “Cozy Bear” a prominent cyber group attached to Russia’s intelligence service, the SVR.
Officials also announced the creation of a new task force from the U.S. National Security Council, the Cyber Unified Coordination Group (UCG), which will be responsible for investigating the hack while also leading remediation efforts. The group will be made up of staff from FBI, CISA, and ODNI, with “support” from the NSA.
According to official accounts, the Russian hackers infiltrated SolarWinds’ software Orion—a popular IT management program commonly used by government agencies—by installing trojanized malware into its software updates. These updates were then pushed out to the vendor’s customers. The hackers also used similar strategies to infiltrate Microsoft products and those of cloud service provider VMware.
The hack, which was first made public in early December, is believed to have affected some 18,000 public and private entities—including the U.S. Treasury, State Department, the Department of Homeland Security, and numerous Fortune 500 companies. Authorities said Tuesday that, of the affected victims, “fewer than ten U.S. government agencies” had been subject to “follow-on activity” on their networks, presumably referring to further infiltration.
In the meantime, SolarWinds has been sued by an investor who claims that the company knew about the software vulnerability that could be exploited and failed to remediate it or disclose its existence.
Government officials said Tuesday that the efforts to respond to the hack were ongoing.
“The UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that evidence is preserved and collected,” authorities said. “Additional information, including indicators of compromise, will be made public as they become available.”