Analysis
Attacks and Vulnerabilities
CISA
News
Threat Landscape

Recent supply chain attacks ‘likely Russian in origin,’ US agencies say

January 06, 2021
supply chain

U.S. security agencies issued a joint statement Tuesday stating that a task force, known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from the NSA, has been set up to coordinate the investigation and remediation of the impact of the recent supply chain cyber incident involving federal government networks.

The UCG is still working to understand the scope of the incident, but has issued updates on its investigation and mitigation efforts. It said that the serious compromise will require a sustained and dedicated effort to remediate. The UCG remains focused on ensuring that victims are identified and able to fix their systems, and that evidence is preserved and collected.

Four agencies behind the joint statement are the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). All these agencies are members of the Cyber UCG joint task force set up by the White House National Security Council to investigate and deal with the fallout from the SolarWinds supply chain attack.

This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks, the agencies noted in a press statement.

Currently, “we believe this was, and continues to be, an intelligence gathering effort,” according to the statement. “We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

The move by the US security agencies may have been prompted by a newspaper report that the extent of the SolarWinds supply chain attack is only increasing, with the cyber incident now “believed to have affected upward of 250 federal agencies and businesses.

About three weeks back, the CISA advised all federal civilian agencies to review their networks for indications of compromise, and immediately disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately. The supply chain cyber incident affected networks across federal, state and local governments, as well as critical infrastructure entities and other private sector organizations.

CISA subsequently updated its earlier advisory after finding evidence of initial access vectors other than the SolarWinds Orion software. CISA followed up its previous advisories last week by asking US federal agencies to update the SolarWinds Orion software by the end of 2020 in a supplementary guidance that broadens its earlier Emergency Directive (ED).

The fallout of the SolarWinds attack has in the meanwhile reached the courtrooms. A class-action lawsuit has been filed Monday in the U.S. District Court for the Western District of Texas by a company shareholder, demanding a trial by jury.

The case alleges that SolarWinds made materially false and misleading statements about its security posture throughout 2020, according to the court documents. It also claims that SolarWinds, outgoing CEO Kevin Thompson and CFO Barton Kalsu made false and/or misleading statements and/or failed to disclose that since mid-2020 SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran, and that SolarWinds’ update server had an easily accessible password of ‘solarwinds123.’

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market