By Justin Katz
Jan 06, 2021
Russia is the likely culprit of the widespread hack of U.S. networks, a White House task force concluded.
Since the attack, analysts and some administration officials have suggested a Russian intelligence service is behind the attack on SolarWinds Orion product, but the Jan. 5 statement from the Cyber Unified Coordination Group which includes the FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence is the first time the federal government has explicitly attributed the attack to Russia. This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks, the statement reads.
Get Permission
Reacting to news reports claiming hackers may have used Czech software firm JetBrains’ TeamCity tool as an initial infection vector during the attack against SolarWinds, JetBrains CEO Maxim Shafirov says the company has not been contacted by investigators. But he says customer misconfiguration of TeamCity could have enabled a hack. JetBrains has not taken part or been involved in this attack in any way, the CEO says. He adds, however, that it’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this [SolarWinds breach] process, it could very well be due to misconfiguration, and not a specific vulnerability.
US intelligence task force accuses Russia of cyber-hack
January 6, 2021
US intelligence agencies have said they believe Russia was behind the “serious” cyber compromise revealed in December.
President Trump had previously suggested China might have been behind the hack, although other members of his administration had pointed the finger at Moscow.
In a joint statement, the intelligence bodies say they currently believe fewer than 10 US government agencies saw their data compromised, although other organisations outside of government were also affected.
They say work is still going on to understand the scope of the incident, which appears to have been aimed at gathering intelligence and which they say is “ongoing” a month after details first emerged.
“We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the statement read.
The four agencies were appointed to a Cyber Unified Coordination Group (UCG) to analyze the attack, which only became publicly-known when FireEye discovered last month that some of its Red Team tools for testing customer networks had been stolen. Upon investigation, FireEye realized the vehicle for the theft was an infected deployment of Orion that allowed the installation of a backdoor. Orion had been compromised through altered security updates that were downloaded by about 18,000 users.
The UCG has so far identified fewer than 10 U.S. government agencies that downloaded the updates, including the Treasury and Energy departments.