Federal agencies leading the response to a massive breach of public and private-sector entities across the globe said the events appear to be part of a still-active intelligence collection campaign connected to Russia.
Following reports of unauthorized access at the cybersecurity firm FireEye, the Commerce Department and others by a sophisticated actor, the National Security Council established the Cyber Unified Coordination Group, or UCG. It pulled together the FBI, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence, with support from the National Security Agency, on behalf of the president, according to a press release the group issued Tuesday.
“This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the agencies said. “At this time, we believe this was, and continues to be, an intelligence gathering effort.”
President Donald Trump previously expressed doubt about Russian involvement in the hack and suggested China might be behind the operation while Secretary of State Mike Pompeo and Attorney General William Barr publicly connected the incident to Russia.
As the lead agency for threat response, the FBI is analyzing evidence toward further attribution, the group said.
Trump has also downplayed the seriousness of the event. While the UCG is still working to assess the full scope of the incident, the group said they believe fewer than ten U.S. government agencies were compromised.
According to security researchers, the perpetrators gained initial access to public and private systems, in part, by breaking into the software development environment of IT management company SolarWinds. SolarWinds Orion software is broadly used by leading public and private-sector organizations and the company estimated that about 18,000 of its customers downloaded an update that was carrying the hackers’ malware.
Among those customers was Microsoft, which subsequently notified 40 of its customers that they were further probed.
“The UCG believes that, of the approximately 18,000 affected public and private sector customers of SolarWinds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems,” the joint statement reads. “We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.”
The group said it would share more information as it becomes available.