U.S. intel agencies say SolarWinds hack 'likely Russian in origin,' appears to be espionage

By Justin Doubleday / January 5, 2021 at 4:54 PM

U.S. investigators confirmed today that they believe Russia is likely behind the SolarWinds cyber hack into multiple federal government agency and private networks revealed last month, though the operation appears to be limited to intelligence gathering.

In a joint statement released today, the National Security Council's "Cyber Unified Coordination Group" updated what it says is a continuing investigation into the SolarWinds software compromise uncovered last month, but likely extending back to spring of last year. The group is composed of the FBI, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence and the National Security Agency.

"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the group said. "At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly."

The group said the statement was delivered "on behalf of President Trump." However, Trump has downplayed the Russian attribution and suggested that China may actually be behind the attack, connecting the incident to his baseless claims of widespread voter fraud in the 2020 election.

The compromised SolarWinds update was pushed to approximately 18,000 customers. However, U.S. intelligence agencies believe "a much smaller number have been compromised by follow-on activity on their systems," according to today's statement.

"We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted," the statement continues.

The Treasury and Commerce departments were among the first reported victims of the hack. Later reports said networks runs by the State Department and the Energy Department's National Nuclear Security Administration were also affected.

Meanwhile, the Defense Department has said it has yet to uncover any evidence of a compromise.

"To date, we have no evidence of compromise of the DOD Information Network (DODIN)," Defense Information Systems Agency Director Vice Adm. Nancy Norton said late last month. "We are aware of the wide-spread and evolving cyber incident. We continue to assess our DOD Information Network for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day."

But officials expect the investigation and remediation efforts to continue well into the future. "This is a serious compromise that will require a sustained and dedicated effort to remediate," today's statement reads.