Russia likely source of massive SolarWinds hack, U.S. intelligence says

U.S. intelligence agencies have formally linked Russia to the massive ongoing cyberattack targeting thousands of sensitive government and private-sector computer networks, the Office of the Director of National Intelligence said on Tuesday.

A special task force including the DNI, FBI, Department of Homeland Security and the National Security Agency (NSA) officials described the SolarWinds hack as a “significant cyber incident” and said that Russian operatives were “likely” behind the operation.

The task force “is still working to understand the scope of the incident,” the DNI’s office said in a joint statement Tuesday afternoon.

In the statement, U.S. investigators said they had determined that “an advanced persistent threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The statement added, “At this time, we believe this was, and continues to be, an intelligence-gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

The Russian government has denied any involvement in the attack, which has raised serious questions about the security of public and private computer networks in both the U.S. and abroad.

The cyberattack affected about 18,000 government and private networks, including computers at key federal agencies such as the Energy, Treasury and Commerce departments.

Sen. Mark Warner, Virginia Democrat and vice chairman of the Senate Select Committee on Intelligence, criticized the spy agencies for taking over three weeks to come up with what he called “a tentative attribution” of Russian involvement the hack.

“I would hope that we will begin to see something more definitive, along with a more public pronouncement of U.S. policy towards indiscriminate supply-chain infiltrations of this sort in the future,” Mr. Warner said in a statement. “We need to make clear to Russia that any misuse of compromised networks to produce destructive or harmful effects is unacceptable and will prompt an appropriately strong response.”

The federal Cybersecurity and Infrastructure Security Agency (CISA) said in a statement Dec. 17 the hackers had been operating undetected since March 2020.

The attack involved “patience, operational security and complex tradecraft in these intrusions,” the agency said, noting that removing the unauthorized intruders from systems will be “highly complex and challenging for organizations.”

“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal and territorial governments as well as critical infrastructure entities and other private sector organizations,” the agency said on its website.

Vulnerable systems range from the electrical grids to financial transaction networks, and the potential penetration of those system has raised fears Moscow is mapping American systems to be ready in the event of a future conflict. For example, getting inside the networks used to control electrical power generation and distribution could be used in wartime cyberattacks to shut off electricity regionally or nationwide.

Security investigators said that the attack involved a supply-chain compromise that exploited a flaw in network monitoring software called Orion produced by SolarWinds, a Texas-based company. The compromised software allowed the hackers to covertly install back door access points in networks.

According to CISA, SolarWinds Orion used performance monitoring and other analyzing tools that grants users wide-ranging access privileges, making it “a valuable target for adversary activity.”

A number of companies were hit by the hackers, including Microsoft. The company said on its website it had detected “malicious SolarWinds applications” and removed them, but not before hackers gained access to company source code.

Some of the networks targeted in the spying campaign were further attacked in what the intelligence agencies described as “follow-on activity” on their systems, including a small handful of U.S. government targets.

“We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify the non-government entities who also may be impacted,” the statement said.

The statement said the NSA, the main electronic intelligence agency that specializes in foreign computer penetrations, is providing the task force with intelligence, cybersecurity expertise, and actionable guidance.