The Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint statement with the approval of the Trump Administration saying that Russian threat actors are behind the supply chain attack on SolarWinds Orion software.
Soon after the attack, the National Security Council organized a task force also known as the Cyber Unified Coordination Group (UCG) with the responsibility of investigating the breach. The task force is composed of the FBI, CISA, and ODNI, with NSA as a support. The task force is still checking out the extent of the data security incident nevertheless has reported that an Advanced Persistent Threat (APT) actor having probable Russian origins conducted the attack.
There are plenty of evidence indicating that the attack on the SolarWinds software was part of the intelligence getting operation performed by Russia. Though various media outlets have earlier noted the security breach as being led by Russia, the first formal public attribution announced by the Trump administration was issued by and Secretary of State Mike Pompeo and previous Attorney General Bill Barr. President Trump had earlier expressed China could have a participation has yet given any remark on the attribution to Russia. once again, Russia dissmissed any engagement in the incident.
The hackers jeopardized the software update feature of SolarWinds Orion software and integrated a backdoor called Sunburst/Solarigate to gain remote access to the systems of institutions that downloaded the compromised program update. The investigation verified the fact that the activity has been active for 9 months, when the systems of hundreds of institutions were affected. The attackers then selected targets of interest to compromise. In the second level of the attack, additional malware was added and the hackers make an effort to get access to victims’ online environments. Microsoft mentioned that getting access to the online environments of victims was the main objective of the attack.
The UCG feels that the systems of close to 18,000 public and private sector organizations were breached through the SolarWinds Orion program update; even so, a much smaller number encountered other activity on their programs. Amazon and Microsoft have began investigating the security breach and were evaluating their web environments for indicators of compromise. Based upon their information, it looks like that the web environments of close to 250 of the 18,000 victims were impacted. That number may well go up as the investigation of the attack proceeds.
Another malware variant known as Supernova web shell was likewise discovered on the systems of selected victims. This malware variant was incorporated by exploiting a zero-day vulnerability in the SolarWinds Orion program and will not turn up to have been brought about by the same attackers.
Under 10 U.S. government organizations had their systems affected. lately, the Department of Justice announced that it was impacted. Though the hackers obtained access to its systems, the DOJ stated the breach only impacted its Microsoft Office 365 email environment and merely around 3% of its mailboxes were impacted. The DOJ mentioned that none of its identified systems appear impacted by the breach.