Hackers working for the Russian government were “likely” behind the software supply chain attack that planted a backdoor in the networks of 180,000 private companies and governmental bodies, officials from the US National Security Agency and three other agencies said on Tuesday.
The assessment—made in a joint statement that also came from the FBI, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence—went on to say that the hacking campaign was a “serious compromise that will require a sustained and dedicated effort to remediate.”
Russia, Russia, Russia
The statement is at odds with tweets from US President Donald Trump disputing the Russian government’s involvement and downplaying the severity of the attack, which compromised the software distribution system of Austin, Texas-based SolarWinds and used it to push a malicious update to almost 200,000 of its customers.
“The Cyber Hack is far greater in the Fake News Media than in actuality,” Trump wrote in a Twitter thread last month. “I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!).”
The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of….
— Donald J. Trump (@realDonaldTrump) December 19, 2020
Tuesday’s statement made no mention of China. Instead, it said that the agencies’ investigation so far points to the hack being an espionage operation sponsored by the Kremlin.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” officials wrote. “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The statement is the second time Trump has been contradicted by people who work under his administration. Secretary of State Mike Pompeo has also said that Russia “pretty clearly” was behind the hack.
Damage assessment
Since the mass compromise came to light three weeks ago, investigators in both the public and private sectors have scrambled to learn who was behind the hack, who was infected, and what the hackers’ motives were.
SolarWinds, a supplier of network management software, was the source for the figure that 180,000 organizations installed the backdoored update. Since then, researchers elsewhere have said that only a subset of those organizations received a follow-on attack that used the backdoor to install additional malware that burrowed into networks much more deeply.
So far, the agencies have “identified fewer than ten US government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.” Tuesday’s joint statement didn’t name the agencies. Previous media reporting has named the Departments of Defense, State, Treasury, Commerce, Homeland Security, Agriculture, and Energy as victims, but not all of the reporting explicitly says these agencies received the follow-on attack.
On December 31, Microsoft said the hackers used the backdoor in its network to view source code, and the company researchers were continuing to investigate. The entire campaign came to light after FireEye, one of the world’s top security firms, disclosed it had been breached. Security firm CrowdStrike, meanwhile, has said that, although it was also targeted, that attempt failed.
The failure of the NSA and other federal agencies in discovering the months-long hacking operation against some of the most sensitive government agencies and private companies has been a major embarrassment. Tuesday’s statement suggests that the agencies are still struggling to contain and assess the damage that has resulted.
Regardless of how Trump receives Tuesday’s assessment, it sets the stage for the incoming president, Joe Biden, who has assailed Trump for downplaying the hack.