US security agencies have formally identified a Russian advanced persistent threat group as the “likely” culprit behind the SolarWinds hack that compromised approximately 18,000 organisations.
A joint statement by the FBI, National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) described the cyberattack as an “intelligence-gathering effort”.
The SolarWinds hack, which has been dubbed Sunburst, first came to light in December when US cybersecurity firm FireEye revealed it had been breached by a “highly sophisticated” attack launched by a nation state with “top-tier offensive capabilities”.
The four security agencies have formed a task force known as the Cyber Unified Coordination Group (UCG) to investigate the SolarWinds hack, which has affected thousands of public and private sector customers using SolarWinds’ popular Orion product.
As early as March, the suspected Russian nation-state hackers injected malicious code into software updates for Orion, which is used by organisations to monitor their computer networks for outages and problems.
Companies that installed the tainted Orion update unwittingly gave the hackers remote access to their networks, allowing them to steal information and possibly lay the groundwork for future attacks.
The UCG said in its statement that “fewer than ten US government agencies” were compromised by the SolarWinds hack.
In December Reuters reported that the US Treasury and Commerce departments were affected by the attack. The US energy department, which is responsible for managing nuclear weapons, was also compromised. However, the department said the security of its nuclear arsenal remained uncompromised.
The SolarWinds hack has been described as one of the worst ever cyber espionage attacks on the US government.
Russia has denied any involvement in the attack.
Last month the Washington Post linked the SolarWinds hack to APT29, a hacking group associated with the Russian Foreign Intelligence Service.
The UCG has not linked the attack to APT29 and said it continues to gather evidence and investigate.