SAN FRANCISCO: The office of the US Director of National Intelligence on Tuesday (Jan 5) said Russia was "likely" behind a string of hacks identified last month that gained access to several federal agencies.
A joint statement by the FBI, Directorate of National Intelligence, the National Security Agency and Cybersecurity and Infrastructure Security Agency outlined their findings in what experts have called the most devastating break in US computer security in years.
They said the hackers' goal appeared to be collecting intelligence, rather than any destructive acts.
The agencies said that the actor, "likely Russian in origin, was responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks".
The investigation is continuing, they said, and could turn up additional government victims.
“This is a serious compromise that will require a sustained and dedicated effort to remediate,” said the joint statement.
"At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the statement said.
It was the first formal statement of attribution by the Trump administration.
Elected officials briefed on the inquiry and Secretary of State Mike Pompeo had previously said Russia was behind the hacking spree, but President Donald Trump said it could have been China.
According to CISA, the hack is focused on the Orion security software produced by the US firm SolarWinds, widely found in government and private sector computers across the globe.
About 18,000 public and private customers of SolarWinds would be vulnerable to the hack, the statement said.
But it said that out of that number, "a much smaller number have been compromised by follow-on activity on their systems."
So far investigators have found fewer than 10 US government agencies whose systems were compromised, the statement said.
The statement did not identify which agencies. But some have admitted they were targets, including the State Department, Commerce Department, Treasury, Homeland Security Department, Defense Department, and the National Institutes of Health.
Officials briefed on the case said that the main target of the hackers appeared to be email. One said that no classified networks seem to have been breached and that fewer than 50 private companies had been fully compromised, a lower number than initially feared.
The security company FireEye, which was itself breached, discovered the new round of attacks.
It remains unknown how the hackers got deep inside SolarWinds' production system as long as a year ago. Once there, they were able to slip "back doors" into two digitally signed updates of the company's flagship Orion software.
As many as 18,000 customers downloaded those updates, which sent signals back to the hackers. At a small number of high-value targets, the group then manipulated access to cloud services in order to read emails or other content and potentially installed other back doors, making clean-up after discovery a daunting task.
A few major technology companies have said they had at least downloaded the bad code from SolarWinds, and Microsoft Corp said Dec 31 that the penetration had gone well beyond that, allowing the intruders to view its prized source code, where they might have looked for security flaws.
The attackers also hacked sellers of Microsoft services, which often maintain access to customers, to go after email at non-SolarWinds customers, according to security company CrowdStrike Holdings and Microsoft employees.
Microsoft and federal investigators have not said how many resellers were hacked or how many customers were impacted.
The overall strategy of electronic infiltration through vendors, known as a supply-chain attack, is especially effective, and officials fear the success of the current wave will encourage more of them.