A group of federal agencies including the FBI and NSA said this week that the massive SolarWinds hack attack discovered late last year was “likely Russian in origin,” in a rate statement of attribution. The agencies have been “working non-stop” to gather evidence and insight into the cyberattack, which potentially impacted 18,000 organizations, including large federal agencies and mega-corporations like Microsoft.
The so-called “supply chain” hack was orchestrated by criminals who managed to place rogue code into a software update for a SolarWinds product called Orion that is ubiquitous in government computers. Those computers were then infected during regular updates as early as March 2020. In one sliver of good news, the fed statement claims that while thousands of networks were infected, the agencies believe that very few of the compromised systems were actually used for nefarious “follow-on” activity.
“We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” the statement said. There are no additional details on that distinction, which might mean hackers never bothered to access the back door they’d left in most systems to steal data or alter it — or it might mean such activity has not yet been detected.
Still, the joint statement didn’t minimize the impact of the attack. “This is a serious compromise that will require a sustained and dedicated effort to remediate,” it read.
Since the SolarWinds compromise was revealed in December, there has been a steady stream of bad news about it. Microsoft announced soon after the attack was revealed that it had identified 40 customers which “the attackers targeted more precisely,” Then on New Year’s Even, Microsoft revealed that the firms itself was also targeted more precisely. At least one hacker managed to view source code for a variety of products, Microsoft said.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated,” the firm’s blog post read. It also said this access did not create additional risk for customers.
The statement of attribution released jointly by the four federal agencies (which also included the Cybersecurity Infrastructure Security Agency and the Office of the Director of National Intelligence) seemed to contradict statements made about the hack by President Trump. On Dec. 19, he suggested Russia wasn’t involved.
“The Cyber Hack is far greater in the Fake News Media than in actuality,” Trump wrote in a short Twitter thread. “I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),” he wrote.
“There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA. @DNI_Ratcliffe @SecPompeo”
The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of….
The rare statement of attribution — which contradicted Trump’s Tweet, but was issued “On behalf of President Trump” — is significant because it offers at least some hints about the motivation of the hackers involved.
The attack reminds some observers of the 2014 hack on the Office of Personnel Management, which led to the theft of about 20 million current and former federal government employees’ records. That incident was blamed on China’. So was the massive Anthem attack of 2015, and the Equifax hack in 2017.
In all four cases, there has been a disturbing lack of evidence that any data which might have been stolen during these large attacks has yet been used for any nefarious purpose. That suggests the hacks are part of a longer-term, ongoing surveillance or espionage mission. After the Equifax and OPM hacks, security professionals openly speculated that a nation-state was using the millions of stolen records to build a massive database of U.S. nationals that could be used in numerous virtual or real campaigns in the future.
[UPDATE: The panel has occurred. You can watch it on YouTube at this link.]
I’ll be discussing all this and more this afternoon at 6 p.m. ET in a virtual Zoom panel at Duke University’s Sanford School of Public Policy, where I am a visiting scholar this year. Together with Professor David Hoffman, I’ll be talking with Sean Lyngaas, CyberScoop senior reporter, about SolarWinds and its implications.