Hackers working for the Russian government were “probably” behind the attack on the software supply chain that planted a backdoor in the networks of 18,000 private companies and government agencies, officials at the US National Security Agency and three other agencies said Tuesday.
The assessment – made in a joint statement that also came from the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence – went on to say that the hacking campaign was a “serious compromise that requires a sustained and committed effort to recover.”
Russia, Russia, Russia
The statement runs counter to US President Donald Trump’s tweets challenging the Russian government’s involvement and downplaying the seriousness of the attack, which compromised SolarWinds’ software distribution system in Austin, Texas and used it to deliver a malicious update. to nearly 20,000 of its customers.
“The cyber hack is much bigger in the fake news media than it is in reality,” Trump wrote in a… Twitter thread last month. “I have been fully informed and everything is well under control. Russia, Russia, Russia is the priority if something happens because Lamestream, for mainly financial reasons, is terrified to discuss the possibility that it might be China (it might!).
Tuesday’s statement made no mention of China. Instead, it said the agencies’ investigation so far indicates the hack is a Kremlin-sponsored spy operation.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely of Russian origin, is responsible for most or all of the recently discovered ongoing cyberattacks from both government and non-governmental networks,” officials wrote. “Right now, we believe this was and remains an intelligence-gathering attempt. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The statement marks the second time Trump has been contradicted by people working under his administration. Secretary of State Mike Pompeo has also said that Russia was “pretty clear” behind the hack.
Since the massive compromise came to light three weeks ago, researchers in both the public and private sectors have struggled to find out who was behind the hack, who was infected and what the hackers’ motives were.
SolarWinds, a provider of network management software, was the source for the estimate that 18,000 organizations had installed the backdoored update. Since then, researchers elsewhere have said that only a fraction of those organizations received a follow-up attack that used the backdoor to install additional malware that burrowed much deeper into networks.
So far, the agencies have “identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and inform the non-governmental entities that may also be affected.” Tuesday’s joint statement did not name the agencies. Previous media coverage has named the Departments of Defense, State, Finance, Commerce, Homeland Security, Agriculture and Energy as victims, but not all reporting explicitly states that these agencies received the follow-up attack.
On December 31, Microsoft said the hackers used the backdoor in its network to view the source code, and the company’s researchers continued to investigate. The entire campaign came to light after FireEye, one of the world’s top security companies, announced a breach. Security firm CrowdStrike, meanwhile, has said that although it was also targeted, that attempt failed.
The failure of the NSA and other federal agencies to uncover the months-long hacking operation against some of the most sensitive government agencies and private companies was a great shame. Tuesday’s statement suggests agencies are still struggling to control and assess the damage that has occurred.
Regardless of how Trump receives Tuesday’s assessment, it sets the tone for the new president, Joe Biden, who has attacked Trump for downplaying the hack.