Ongoing investigations into the significant December 2020 cyber attack on various US government agencies, orchestrated through a breach of SolarWinds Orion products, are increasingly pointing to a Russian espionage operation, according to a taskforce report.
According to the Cyber Unified Coordination Group (UCG), a single advanced persistent threat (APT) actor, likely Russian in origin, is responsible for “most or all” of the compromises that have occurred through the attack.
“At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” said the group in a statement.
The UCG was stood up in the wake of the attack, which is also known as Solorigate or Sunburst, and comprises expertise from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA).
Out of the 18,000 public and private sector users of the tainted Orion product that have so far been identified, the UCG now believes that a far smaller number have been compromised by actual malicious activity. It said it had identified fewer that 10 US government agencies afflicted, although it is working to identify others.
“This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the US government, as well as our private sector partners have been working non-stop,” said the UCG.
“These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate and share information with our partners and the American people.”
Gurucul CEO Saryu Nayyar said the Solorigate attack was a perfect example of a state cyber attack. “Unlike typical cyber criminals, these threats at this level have almost unlimited resources and will target virtually anything that may forward their agenda,” she said.
“It is likely the damage from this attack will run much deeper than is revealed to the public, but it may serve as a wake-up call that organisations and vendors at all levels need to up their cyber security game.
“They need to assess their current security posture and make sure they have the best possible components in place, including security analytics. The benefit is that designing defences to blunt state-level attackers should be more than enough to thwart common cyber criminals,” she added.
SolarWinds is now also facing a class action lawsuit brought against its senior management – including its CEO – on behalf of a US-based shareholder whose complaint alleges that the company was well aware of the potential for it to be compromised, and made false and misleading statements that wrongfully inflated its stock price.
In other news relating to the SolarWinds attack, Microsoft last week revealed that while none of its production services or customer data was compromised by the Solorigate attackers, its investigations had detected activity that went beyond the presence of malicious SolarWinds code in its environment.
“We detected unusual activity with a small number of internal accounts and, upon review, we discovered one account had been used to view source code in a number of source code repositories,” said Microsoft.
“The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”