Russia Behind SolarWinds Hack – US Intelligence

Tom Jowitt,
Russian internet © Pavel Ignatov Shutterstock 2012

Russia was the likely culprit of the damaging SolarWinds supply chain compromise, multiple US intelligence agencies declare

Multiple US intelligence agencies have publicly declared that it is Russia was behind the supply chain compromise of a number of US government federal agencies.

The hackers inserted backdoor code into SolarWinds’ Orion platform in March of 2020 (or possibly earlier according to one US senator) and used this to access the systems of at least half-a-dozen US federal agencies, as well as potentially thousands of private firms before the attack was discovered in December.

The scale of the US government compromise is still being investigated, but just before Christmas US Senator Ron Wyden revealed that dozens of email accounts at the US Treasury Department were compromised.

Governmental breach

A number of leading tech firms and security firms such as FireEye have been caught up in this compromise.

Earlier this week Microsoft admitted that the SolarWinds hackers actually accessed and viewed source code repositories within Redmond.

Microsoft had previously disclosed that it, like thousands of other companies, made internal use of the software used in the attack, SolarWinds’ Orion network management software.

But now the office of the US director of national intelligence has said that Russia was “likely” to have been behind a string of hacks of US federal agencies identified last month.

The hackers breached fewer than 10 federal agencies, the Cyber Unified Coordination Group joint taskforce announced.

The FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency (CISA) inside the Department of Homeland Security, issued the joint statement, and said the hackers’ goal appeared to be collecting intelligence, rather than any destructive acts.

“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” they stated. “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.

It was the first official statement of attribution by the Trump administration.

Offshore engineering

This declaration that Russia was likely behind the compromise, has drawn a reaction from security experts.

“As was recently reported in the NYT, ‘SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised,” noted Rosa Smothers, senior VP of cyber operations at KnowBe4.

“As a former CIA officer who was intrinsically involved in HUMINT-enabled cyber operations, there’s a tremendous window of opportunity – we call it ‘spot, assess, and recruit’ – in areas where there is amplified geopolitical tension,” said Smothers. “For instance, Belarus is currently struggling against overt Russian influence.”