Investigators believe that, “of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems,” the four agencies said. “We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.”
Advanced hackers “likely Russian in origin” are behind “most or all of the recently discovered, ongoing cyber compromises,” the statement said, in what amounts to the first formal — albeit tentative — U.S. government attribution of the sophisticated supply chain attack to Moscow.
The statement was notable as much for what it said as for what it made clear remained uncertain.
“At this time, we believe this was, and continues to be, an intelligence gathering effort,” the agencies said. “We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The FBI, CISA and ODNI have formed a Cyber Unified Coordination Group to oversee the government’s response to the SolarWinds campaign. The NSA is supporting the three agencies in their work.
The UCG is part of an Obama-era process for responding to significant cyberattacks. As POLITICO first reported, the Trump administration activated this process shortly after discovering the breach. At the time, a U.S. official told POLITICO that “this is probably going to be one of the most consequential cyberattacks in U.S. history.”
The FBI is focused on, among other things, identifying victims of the attack and collecting forensic evidence to “determine further attribution,” the statement said. CISA is focused on sharing information about the campaign with government and private-sector partners. And ODNI is “coordinating intelligence collection activities to address knowledge gaps,” which involves tasking spy agencies to gather more details about the attack.
Natasha Bertrand contributed to this report.