Agencies: SolarWinds hack has limited follow on so far

(Jan. 8, 2021) A major computer hack that was originally estimated to have affected 18,000 businesses, including federal agencies, and is now being blamed squarely on Russian origins, so far seems to have had minimal follow-on activities, according to federal intelligence agencies.

In a release, the Cyber Unified Coordination Group (UCG) – a group formed by elements of the federal intelligence community to investigate and remediate the massive SolarWinds/Orion computer network hack that occurred last month – said that, of the approximately 18,000 affected public and private sector customers affected by the hack of the Solar Winds’ Orion product, a much smaller number had been compromised by follow-on activity on their systems.

“We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” the release stated.

The Jan. 5 release said that the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA), said they had “stood up” the UCG task force. The agencies said UCG is still working to understand the scope of the incident.

“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the release stated. “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

Joint Statement by the Federal Bureau Of Investigation (FBI), the Cybersecurity And Infrastructure Security Agency (CISA), the Office of the Director Of National Intelligence (ODNI), and the National Security Agency (NSA)

NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources

CISA resource page for Solar Winds/Orion supply chain compromise