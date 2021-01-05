(CNN) — US intelligence and law enforcement agencies investigating the massive hacking campaign targeting American government agencies and private sector companies issued a joint statement Tuesday saying the group responsible "likely originated in Russia" and the attack is believed to be an act of espionage rather than cyber warfare, as some lawmakers have suggested.
While top US officials, including Secretary of State Mike Pompeo, have previously suggested that the hacking campaign was carried out by a Russian-backed group, Tuesday's joint statement offers the most definitive and concrete assessment about the attack's origins from agencies investigating the incident.
In short, the statement issued by the Cyber Unified Coordination Group (UCG) clearly acknowledges what US officials and experts have suspected since the data breach was first disclosed last month: the Advanced Persistent Threat (APT) actor responsible is "likely Russian in origin."
That assessment runs counter to what President Donald Trump has said publicly in the weeks since the data breach first came to light.
Trump has previously questioned intelligence suggesting the hackers were linked to Russia, and he has downplayed the impact of the breach, which top US officials and experts say is historic and could take years to fully understand.
The attack, has affected "less than 10" US government agencies and a number of private sector companies, is believed to be "an intelligence gathering effort," but investigators are still working to understand its full scope, Tuesday's joint statement adds.
Even as US officials continue to grapple with the fallout, the statement clearly states that investigators currently believe the attack does not amount to an "act of war" as some lawmakers have suggested.
The Cyber Unified Coordination Group, which consists of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), began meeting twice daily since the government was informed about the hack, as it worked to assess the extent of the damage and the possible culprits responsible for the attack.
It comes as US officials are still working to uncover the full extent of the breach. A senior administration official told CNN on Monday that well over 250 networks in government and companies had been affected by the hack but that US officials are still trying to assess the damage. The official says, "We think it could be a lot more."
On top of assessing the damage, investigators are working to uncover exactly how the attackers gained access to US networks. The focus on SolarWinds, a private contractor attackers exploited to gain access to potentially thousands of public- and private-sector organizations, is continuing.
The FBI is involved with the case and is examining whether the infiltration involved the company's operations in Eastern Europe, according to two sources familiar with the matter. The intelligence community is also examining the company's operations in Eastern Europe.
SolarWinds outsourced a great deal of its technical expertise to employees and software engineers in countries including Belarus, Poland and the Czech Republic. One former National Security Agency official told CNN on Monday that foreign employees working for American IT firms in those countries are considered prime targets for recruitment by Russian intelligence services.
In full, the statement reads:
"On behalf of President Trump, the National Security Council staff has stood up a task force construct known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from NSA, to coordinate the investigation and remediation of this significant cyber incident involving federal government networks. The UCG is still working to understand the scope of the incident but has the following updates on its investigative and mitigation efforts.
"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.
"The UCG believes that, of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.
"This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the United States Government, as well as our private sector partners have been working non-stop. These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people.
"As the lead agency for threat response, the FBI’s investigation is presently focused on four critical lines of effort: identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defense.
"As the lead for asset response, CISA is focused on sharing information quickly with our government and private sector partners as we work to understand the extent of this campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident. In an Emergency Directive posted December 14, CISA directed the rapid disconnect or power-down of affected SolarWinds Orion products from federal networks. CISA also issued a technical alert providing technical details and mitigation strategies to help network defenders take immediate action. CISA will continue to share any known details as they become available.
"As the lead for intelligence support and related activities, ODNI is coordinating the Intelligence Community to ensure the UCG has the most up-to-date intelligence to drive United States Government mitigation and response activities. Further, as part of its information-sharing mission, ODNI is providing situational awareness for key stakeholders and coordinating intelligence collection activities to address knowledge gaps.
"Lastly, the NSA is supporting the UCG by providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners, as well as National Security Systems, Department of Defense, and Defense Industrial Base system owners. NSA’s engagement with both the UCG and industry partners is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures.
"The UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that evidence is preserved and collected. Additional information, including indicators of compromise, will be made public as they become available."