A group of U.S. intelligence agencies on Tuesday formally accused Russia of being linked to the recently discovered hack of IT group SolarWinds that compromised much of the federal government.
The FBI, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) attributed the effort to Russia. The group had set up a cyber unified coordination group in December after the compromise of SolarWinds was revealed.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the agencies said in a joint statement around their investigation into the cyber incident.
The agencies emphasized that “at this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
Reuters first reported last month that the Commerce and Treasury departments had been hacked as part of the attack on SolarWinds, which counts the majority of federal agencies and U.S. Fortune 500 companies as customers.
Since then, agencies including the Department of Homeland Security, the Department of Defense and the Energy Department’s National Nuclear Security Administration have confirmed they were affected by the attack, with hackers potentially present in these systems since March.
SolarWinds reported in a filing with the Securities and Exchange Commission last month that up to 18,000 of its customers had potentially been compromised.
The federal agencies on Tuesday noted that of the 18,000 public and private sector groups that used SolarWinds’s Orion software, which the hackers used to infiltrate networks, “fewer than ten U.S. government agencies” had been “compromised by follow-on activity in their systems.”
President Trump addressed the hack — among the worst cyber incidents in American history — in a tweet last month in which he questioned whether China was involved. Both the Chinese and Russian governments have denied involvement.
“The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control,” Trump tweeted. “Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!).”
Both Secretary of State Mike Pompeo and former Attorney General William Barr have previously said they believed Russia was behind the cyber espionage incident, while President-elect Joe Biden described the hack as a “grave risk to our national security.”
Biden said last month that the attack had all the hallmarks of a Russian cyber operation, and urged Trump to officially designate the nation as behind the incident.
“It certainly fits Russia’s long history of reckless disruptive cyber activities, but the Trump administration needs to make an official attribution,” Biden said. “This assault happened on Donald Trump’s watch when he wasn’t watching. It’s still his responsibility as president to defend American interests for the next four weeks.”
Pompeo doubled down Tuesday on accusing Russia of hacking the SolarWinds software, telling Bloomberg News that the incident “was in fact a Russian operation,” though emphasizing that the U.S. constantly faces cyberattacks from other nations including China, North Korea and Iran.
The federal agencies described the incident Tuesday as “a serious compromise that will require a sustained and dedicated effort to remediate, and vowed to “continue taking every necessary action to investigate, remediate, and share information with our partners and the American people.”
Some initial steps were taken to respond to the incident in December, with CISA issuing an emergency directive requiring all federal agencies to immediately disconnect from any SolarWinds products or software.
Federal agencies were not the only groups hit, with Microsoft confirming last week that the hackers had been able to view its source code, though not change anything, linking the attack to an unnamed nation state.
Microsoft President Brad Smith wrote in a blog post published in December that the company had notified 40 customers that were targeted “more precisely” by the attackers, with these groups including government agencies, think tanks, IT groups and government contractors in the U.S. and around the world.
“This is not ‘espionage as usual,’ even in the digital age,” Smith wrote. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”