FBI, CISA officially confirm US govt hacks after SolarWinds breach

The compromise of multiple US federal networks following the SolarWinds breach was officially confirmed for the first time in a joint statement released earlier today by the FBI, DHS-CISA, and the Office of the Director of National Intelligence (ODNI).

"Over the course of the past several days, the FBI, CISA, and ODNI have become aware of a significant and ongoing cybersecurity campaign," the US intelligence agencies said [1, 2].

"This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government."

The National Security Council (NSC) has established a Cyber Unified Coordination Group (UCG) following the SolarWinds breach to help the intelligence agencies better coordinate the US government's response efforts surrounding this ongoing espionage campaign.

To establish the UCG, the NSC used the Presidential Policy Directive-41 and its Annex, both issued in July 2016 by the Obama administration.

"The UCG process facilitates continuous and comprehensive coordination for whole-of-government efforts to identify, mitigate, remediate, and respond to this incident," NSC spokesman John Ullyot said two days ago.

"The highly-trained and experienced professionals across the government are working diligently on this matter."

During this coordinated whole-of-government response effort, the FBI will be the lead for threat response, DHS-CISA will lead all asset response activities, and the ODNI will lead intelligence support and related activities.

The FBI will focus its efforts on collecting additional intelligence on the threat actors behind this compromise campaign and on attributing, pursuing, and disrupting their ongoing cyber-espionage efforts.

DHS-CISA has already issued an Emergency Directive after suspected Russian state-sponsored hackers breached SolarWinds asking federal civilian agencies to immediately disconnect or power down affected SolarWinds Orion products on their networks to block future attacks.

The DHS security agency is the one keeping in contact with all government, private sector, and international partners during the coordinated response efforts, as well as providing resources and information needed to those affected by this campaign to "recover quickly."

"CISA is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises," the joint statement reads.

Yesterday, BleepingComputer also reported that Microsoft, FireEye, and GoDaddy collaborated to create a kill switch for the SolarWinds backdoor deployed on compromised networks to force the malware to terminate itself.

This backdoor is currently tracked as Solarigate by Microsoft and Sunburst by FireEye, and it was distributed via SolarWinds' auto-update mechanism onto the systems of roughly 18,000 customers.

The list of victims includes the US Treasury, the US Department of State, US NTIA, US NIH, DHS-CISA, and the US Department of Homeland Security.

SolarWinds' customer listing [12] includes over 425 of the US Fortune 500, all top ten US telecom companies, the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States.

Related Articles:

CISA: Hackers breached US govt using more than SolarWinds backdoor

US govt, FireEye breached after SolarWinds supply-chain attack

FBI and Homeland Security warn of APT attacks on US think tanks

Hackers used VPN flaws to access US govt elections support systems

Russian state hackers stole data from US government networks