US government formally blames Russia for SolarWinds hack
Four US cyber-security agencies, including the FBI, CISA, ODNI, and the NSA, have released a joint statement today formally accusing the Russian government of orchestrating the SolarWinds supply chain attack.
US officials said that “an Advanced Persistent Threat (APT) actor, likely Russian in origin” was responsible for the SolarWinds hack, which officials described as “an intelligence gathering effort.”
The joint statement semi-confirms a report from the Washington Post last month, which linked the SolarWinds intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR).
While US government officials did not link the SolarWinds hack to APT29 nor any other specific hacking group, the joint statement comes to respond to public criticism that the Trump administration was intentionally staying away from attributing the attack to Russian hackers.
These rumors have been going around primarily because of the perceived relation and the help President Trump is believed to have received from Russian hackers during the 2016 Presidential Election.
But the joint statement also comes to address another issue. The statement also formally describes the SolarWinds hack as “an intelligence gathering effort.”
US officials hope that categorizing the hack this way will put an end to the constant conspiracy theories going around online that the purpose of the SolarWinds hack was to tamper with voting machines and perform election fraud.
In addition, the joint statement also shed some light on the damage of the attack.
The SolarWinds supply chain attack took place after Russian hackers broke into SolarWinds’ backend infrastructure and added malware (named Sunburst/Solorigate) to SolarWinds Orion update packages.
Around 18,000 Orion customers received and installed these updates, but only on a few of these networks, Russian hackers chose to escalate the attacks with a second-stage malware payload called Teardrop.
While the first-stage Sunburst malware payload was spotted on thousands of systems, the four agencies said that that “fewer than ten US government agencies” were targeted with additional malware.
The four agencies behind today’s joint statement are the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). All four agencies are members of the Cyber Unified Coordination Group (UCG), a joint task force set up by the White House National Security Council to investigate and deal with the fallout from the SolarWinds attack.
In a Facebook post shortly after the Washington Post report last month, Russian officials contested the paper’s findings. Russian officials have not formally answered to today’s FBI-CISA-ODNI-NSA joint statement.