(Jan. 8, 2021) A major computer hack that was originally estimated to have affected 18,000 businesses, including federal agencies, and is now being blamed squarely on Russian origins, so far seems to have had minimal follow-on activities, according to federal intelligence agencies.
In a release, the Cyber Unified Coordination Group (UCG) – a group formed by elements of the federal intelligence community to investigate and remediate the massive SolarWinds/Orion computer network hack that occurred last month – said that, of the approximately 18,000 affected public and private sector customers affected by the hack of the Solar Winds’ Orion product, a much smaller number had been compromised by follow-on activity on their systems.
“We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” the release stated.
The Jan. 5 release said that the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA), said they had “stood up” the UCG task force. The agencies said UCG is still working to understand the scope of the incident.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the release stated. “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
CISA resource page for Solar Winds/Orion supply chain compromise
A major computer hack that was originally estimated to have affected 18,000 businesses, including federal agencies, and is now being blamed squarely on Russian origins, so far seems to have had minimal follow-on activities, according to federal intelligence agencies.
In a release, the Cyber Unified Coordination Group (UCG) – a group formed by elements of the federal intelligence community to investigate and remediate the massive SolarWinds/Orion computer network hack that occurred last month – said that, of the approximately 18,000 affected public and private sector customers affected by the hack of the SolarWinds’ Orion product, a much smaller number had been compromised by follow-on activity on their systems.
“We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” the release stated.
The Jan. 5 release said that the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA), said they had “stood up” the UCG task force. The agencies said UCG is still working to understand the scope of the incident but has the following updates on its investigative and mitigation efforts.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the release stated. “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
LINKS:
CISA resource page for Solar Winds/Orion supply chain compromise
(Dec. 18, 2020) NASCUS is in touch with federal authorities about the recent – and some say catastrophic – hack of IT systems by a nation-state hacker group that was revealed over last weekend through products offered by IT software provider SolarWinds.
The hack, according to documents filed by SolarWinds early this week with the Securities and Exchange Commission (SEC), appears to have affected about 18,000 of the firm’s 300,000 customers. The hackers reportedly inserted malware into updates for Orion, a software application by SolarWinds for IT inventory management and monitoring. The versions affected were 2019.4 through 2020.2.1, released between March 2020 and June 2020. According to reports, the malware allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers. SolarWinds has not yet said how hackers breached its own network.
However, as indicated by the relatively narrow scope of those affected by the hack, the attack was targeted to specific groups using the software, including the Treasury Department, and the Department of Commerce’s National Telecommunications and Information Administration (NTIA).
Other federal government customers known to be using the software (but which may or may not be affected by the hack) include the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Cyber Command, the Departments of Defense, Homeland Security, Energy and Veterans Affairs, the FBI, and others. Customers in other countries may also have been affected, including governments.
NASCUS is participating in a number of conversations among federal regulators regarding the hack, most of which are confidential, and monitoring developments. However, during the conversations, groups such as NASCUS have been urged to encourage their members to review the CISA emergency directive on the compromise and plug into the agency for updates as they become available.
LINK:
CISA emergency directive on SolarWinds/Orion management products