U.S. security agencies issued a joint statement Tuesday stating that a task force, known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from the NSA, has been set up to coordinate the investigation and remediation of the impact of the recent supply chain cyber incident involving federal government networks.
The UCG is still working to understand the scope of the incident, but has issued updates on its investigation and mitigation efforts. It said that the serious compromise will require a sustained and dedicated effort to remediate. The UCG remains focused on ensuring that victims are identified and able to fix their systems, and that evidence is preserved and collected.
Four agencies behind the joint statement are the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). All these agencies are members of the Cyber UCG joint task force set up by the White House National Security Council to investigate and deal with the fallout from the SolarWinds supply chain attack.
This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks, the agencies noted in a press statement.
Currently, “we believe this was, and continues to be, an intelligence gathering effort,” according to the statement. “We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The move by the US security agencies may have been prompted by a newspaper report that the extent of the SolarWinds supply chain attack is only increasing, with the cyber incident now “believed to have affected upward of 250 federal agencies and businesses.”
About three weeks back, the CISA advised all federal civilian agencies to review their networks for indications of compromise, and immediately disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately. The supply chain cyber incident affected networks across federal, state and local governments, as well as critical infrastructure entities and other private sector organizations.
CISA subsequently updated its earlier advisory after finding evidence of initial access vectors other than the SolarWinds Orion software. CISA followed up its previous advisories last week by asking US federal agencies to update the SolarWinds Orion software by the end of 2020 in a supplementary guidance that broadens its earlier Emergency Directive (ED).
The fallout of the SolarWinds attack has in the meanwhile reached the courtrooms. A class-action lawsuit has been filed Monday in the U.S. District Court for the Western District of Texas by a company shareholder, demanding a trial by jury.
The case alleges that SolarWinds made materially false and misleading statements about its security posture throughout 2020, according to the court documents. It also claims that SolarWinds, outgoing CEO Kevin Thompson and CFO Barton Kalsu made false and/or misleading statements and/or failed to disclose that since mid-2020 SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran, and that SolarWinds’ update server had an easily accessible password of ‘solarwinds123.’