Feds Add Context to SolarWinds Breach

More aftermath updates now as a result of the SolarWinds cyberattack.

The FBI, CISA, ODNI, and NSA joined together to create a new task force, the Cyber Unified Coordination Group (UCG).

This group formed to coordinate an investigation into the SolarWinds breach. It also offered new context this week on the extent of the breach, the nation-state evidence, and a possible motive.

The SolarWinds data breach in context

The Unified Command Group (UCG) confirms that of the 18,000 public and private sector customers of SolarWinds Orion product, a relatively small have been compromised by follow-on activity on their systems. The UCG also confirmed that "less than 10 US government agencies" have been affected by this follow-on activity. 

Updated nation-state link to SolarWinds data breach

The Unified Coordination Group is continuing to point the finger of attribution at Russia. Here is the latest from a new UCG joint statement:

"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly."

Updated details on possible motivation for the SolarWinds attack

The SolarWinds supply chain attack was discovered just days before the Christmas holiday in the U.S., but according to the UCG, IT and security teams kept working. And they now indicate a possible motive:

"At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly."

How the agencies work together within the UGC

With four government agencies working together to continue investigating the SolarWinds attack, there are a lot of moving parts. This is how each agency is leading a part of the response:

• The FBI is the lead agency for threat response, so their investigation is primarily focused on four focal points: identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defense.
• CISA is the lead for asset response. It is focused on sharing information as soon as possible with other agencies and private sector partners. It has also created a tool, which is free to use, for detecting unusual activity related to this incident. Back in December, CISA was the agency that directed the rapid disconnect of affected Solar Winds' products and issued a technical alert that provided details and mitigation steps.
• ODNI is the lead agency for intelligence support and related activities, so it has been coordinating the Intelligence Community to ensure the UCG has the most up to date information to help mitigation and response activities. It is also providing situational awareness for key stakeholders and helping address knowledge gaps.
• NSA is providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners. It is primarily focused on correctly assessing the scale and scope of this incident.

For the latest joint statements and updates about the APT supply chain cyberattack, visit this CISA page and look for the dropdowns.