On January 5th, the US Cyber Unified Coordination Group (UCG) released a statement concluding what the origin of the recent “massive cyber-attack”.
The UCG is made up of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA).
A task force was formed to investigate under order of US President Donald Trump.
The UCG is still working to understand the scope of the incident but has the following updates on its investigative and mitigation efforts.
Regardless, though, Russia is to blame.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The UCG said it believed that, of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems.
“We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.
This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the United States Government, as well as our private sector partners have been working non-stop. These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people.”
It then describes what each agency brings to the proverbial table:
“As the lead agency for threat response, the FBI’s investigation is presently focused on four critical lines of effort: identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defense.”
“As the lead for asset response, CISA is focused on sharing information quickly with our government and private sector partners as we work to understand the extent of this campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident. In an Emergency Directive posted December 14, CISA directed the rapid disconnect or power-down of affected SolarWinds Orion products from federal networks. CISA also issued a technical alert providing technical details and mitigation strategies to help network defenders take immediate action. CISA will continue to share any known details as they become available.”
“As the lead for intelligence support and related activities, ODNI is coordinating the Intelligence Community to ensure the UCG has the most up-to-date intelligence to drive United States Government mitigation and response activities. Further, as part of its information-sharing mission, ODNI is providing situational awareness for key stakeholders and coordinating intelligence collection activities to address knowledge gaps.”
And, finally the NSA:
“The NSA is supporting the UCG by providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners, as well as National Security Systems, Department of Defense, and Defense Industrial Base system owners. NSA’s engagement with both the UCG and industry partners is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures.”
Adam Schiff, chairman of the House of Representatives intelligence committee, said in a statement:
“Congress will need to conduct a comprehensive review of the circumstances leading to this compromise, assess the deficiencies in our defences, take stock of the sufficiency of our response in order to prevent this from happening again, and ensure that we respond appropriately.”
There is, apparently, no evidence, but it is “highly likely” that is Russia, which is of no surprise.
President-elect Joe Biden’s initial response spoke of retaliation, but there really isn’t much the United States can do beyond what it already does. Namely accuse without evidence and impose sanctions.
Biden blamed Russia for the hack, and said that Trump made it possible for the hack to happen.
Biden suggested the outgoing president made the country vulnerable to such a crisis, citing Trump’s decision to abolish a White House role responsible for cybersecurity and blasting Trump’s “irrational downplaying of the seriousness of this attack.”
“Enough’s enough … we can’t let this go unanswered,” Biden continued, saying as commander in chief he would respond once the U.S. makes a formal declaration of Russian responsibility but declining to describe how he might do so. “We don’t sit here and say, we’re going to strike you with a nuclear weapon,” Biden told a reporter who asked him to outline possible options.
Biden said he was awaiting a full accounting of the damage done by the hack. Last week, he pledged to “make dealing with this breach a top priority from the moment we take office.”
It, apparently, went under the radar that SolarWinds majority owners Silver Lake and Thoma Bravo sold $286 million of stock just before the company announced a new CEO and disclosed the “massive cyber-attack.”
The private equity firms disposed of more than 13 million SolarWinds stock shares at $21.97 per share on Dec. 7, two days before the IT infrastructure management firm announced Pulse Secure’s Sudhakar Ramakrishna as its next CEO.
And just 4 days later disclosed that it had allegedly experienced a highly sophisticated, manual supply chain attack on certain versions of its Orion network monitoring product.
SolarWinds’ stock is now trading at $18.46, nearly 16 percent lower than what Silver Lake and Thoma Bravo sold their shares for. Silver Lake sold 5.8 percent of its stake in publicly held SolarWinds for $157.5 million, while Thoma Bravo also sold 5.8 percent of its somewhat smaller stake in SolarWinds for $128.3 million.
So it appears that US Security agencies blame Russia, but there appears to be no evidence of that, and the only ones who have gained anything so far are the “victims”.
Russia has denied any involvement.
MORE ON THE TOPIC:
- No Act Of War But “An Easy Score”: Here’s What We Know & Don’t Know About SolarWinds Hack
- U.S. Treasury, Commerce Department, And Others Allegedly Hacked: MSM Blames Russia