The foreign hackers who compromised a wide array of government and corporate computer networks appear to have spied on fewer than 10 of the federal agencies left vulnerable by their attack, U.S. officials investigating the breaches said Tuesday.
The joint statement by the FBI, NSA, CISA and the Office of the Director of National Intelligence — which called Russia the "likely" source of the attack — had been approved two weeks ago but was delayed at the White House’s insistence, a person familiar with the matter told POLITICO.
The officials stressed that the hacking campaign, which persisted undetected for months before being uncovered in December, "is a serious compromise that will require a sustained and dedicated effort to remediate."
Investigators believe that, “of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems,” the four agencies said. “We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.”
Advanced hackers “likely Russian in origin” are behind “most or all of the recently discovered, ongoing cyber compromises,” the statement said, in what amounts to the first formal — albeit tentative — U.S. government attribution of the sophisticated supply chain attack to Moscow.
The statement was notable as much for what it said as for what it made clear remained uncertain.
“At this time, we believe this was, and continues to be, an intelligence gathering effort,” the agencies said. “We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The FBI, CISA and ODNI have formed a Cyber Unified Coordination Group to oversee the government’s response to the SolarWinds campaign. The NSA is supporting the three agencies in their work.
The UCG is part of an Obama-era process for responding to significant cyberattacks. As POLITICO first reported, the Trump administration activated this process shortly after discovering the breach. At the time, a U.S. official told POLITICO that “this is probably going to be one of the most consequential cyberattacks in U.S. history.”
The FBI is focused on, among other things, identifying victims of the attack and collecting forensic evidence to “determine further attribution,” the statement said. CISA is focused on sharing information about the campaign with government and private-sector partners. And ODNI is “coordinating intelligence collection activities to address knowledge gaps,” which involves tasking spy agencies to gather more details about the attack.
Natasha Bertrand contributed to this report.
View original post