On Tuesday, officials from the U.S. government formally accused the Russian government of orchestrating the significant SolarWinds supply chain compromise unveiled last month. This allegation came as part of a broader assessment conducted by multiple agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
The joint statement from the FBI, CISA, Office of the Director of National Intelligence (ODNI), and National Security Agency (NSA) indicated that an Advanced Persistent Threat (APT) likely tied to Russian interests is responsible for a series of cyber intrusions affecting both governmental and non-governmental networks.
Despite these allegations, the Russian government has flatly denied involvement. On December 13, officials from Moscow asserted that they “do not conduct offensive operations in the cyber domain,” marking their steadfast rejection of the accusations.
The FBI and other agencies are part of the Cyber Unified Coordination Group (UCG), a task force established by the White House National Security Council that is currently investigating and coordinating responses to the SolarWinds incident. Their initial findings categorize the event as an “intelligence gathering effort,” with the agencies working to determine the full extent of the breach. Preliminary assessments indicate that fewer than 10 government agencies have been compromised, although the precise identities of these agencies have yet to be revealed.
Earlier reports have pointed to major U.S. government entities, including the Departments of Treasury, Commerce, State, Energy, and Homeland Security, among those affected by compromised SolarWinds software. An estimated 18,000 clients of SolarWinds are believed to have downloaded a tainted software update, but the UCG asserts that only a limited number of those experienced subsequent intrusive actions within their networks.
In a detailed analysis, Microsoft pointed out that a second-stage malware variant, identified as Teardrop, has been selectively deployed against targets following reconnaissance actions intended to identify high-value accounts and assets. The operation has been associated with APT29, also known as Cozy Bear, a group linked to the Russian Foreign Intelligence Service (SVR).
The stealthy nature of the SolarWinds attack underscores its audacity, as the attackers exploited the trust associated with SolarWinds’ Orion software to infiltrate numerous government agencies and corporations undetected for as long as nine months. This prolonged access allowed them to view source code and steal sophisticated security tools prior to the breach being detected.
In light of the repercussions of the breach, SolarWinds is now facing legal challenges, as a shareholder has filed a class-action lawsuit against the company and its executives. The lawsuit claims that the company failed to adequately disclose vulnerabilities in its Orion monitoring products, particularly regarding an easily accessible password for its update server, which compounds the reputational damage arising from the incident.
As investigations continue, business owners and cyber risk professionals must remain vigilant and informed, cognizant of the evolving tactics and strategies employed by cyber adversaries. By understanding the implications of incidents like SolarWinds through the lens of the MITRE ATT&CK framework, organizations can better assess their cybersecurity posture and implement measures to mitigate future risks.
