US Government formally points the finger in Russia’s direction for the SolarWinds Hack

Initially when we covered the SolarWinds supply chain hack in mid-December fingers were already pointing at Russian nation-state threat actors as being the likely responsible party. Given the scale and sophistication of the attack, there would only be a few well-resourced groups across the globe that had the patience and skill to conduct such a cyberespionage attack. Given Russia’s recent past it was likely that expert opinion would likely look to Russia for an explanation likely to never come. Now, the US government has officially blamed Russia for what is quickly becoming one of the most severe hacks seen, with experts rather dramatically comparing it to Pearl Harbour.

Comparisons to historical events where the loss of life and further war do seem to be misplaced; however, the severity of the hack is slowly coming to light. In a joint statement issued by the FBI, CISA, ODNI, and the NSA the government agencies stated,

“indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

Further, highlighting the scope of the attack the statement went on to say,

“The UCG [Cyber Unified Coordination Group] believes that, of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.”

The statement issued by the UCG, composed of the FBI, CISA, and ODNI with support from NSA, somewhat confirms an article published by the Washington Post which linked to the attack to known Russian nation-state group APT 29 also called Cozy Bear and YTTRIUM. APT 29 is believed to be closely linked with the Russian Foreign Intelligence Service (SVR), there is sufficient evidence to suggest that the belief of a link is more of a fact. However, the government statement did not directly name APT 29 as the culprit, merely saying the attack was conducted by a group of “Russian origin”.

solarwinds russian hackers

Political pundits see the statement as a response to perceptions that President Trump is soft on Russia, and that he may have received direct help from the Russian government during the 2016 election. Currently, according to the statement, officials classify the investigation as an intelligence-gathering effort, with further hopes that the hack can be correctly categorized and those conspiracy theories pertaining to the hack having an impact on voting machines can be put to rest. The statement gives little in the way of concrete information as to how exactly the threat actors carried out the attack. Since December, the public has become slowly aware of what may have occurred, following the news releases that have been released over the period.

The Story so Far

A recently published New York Times article summarised what is known although speculation remains rife. The article has gone some way to clear up some misconceptions. According to the article, the threat actor managed their intrusion servers from within the United States, this was believed to be done to bypass laws that prevent US agencies from spying within the borders of the US and on US citizens or public entities.

Experts believe that while much of the focus of cyber defense agencies was on securing the 2020 election, resources were diverted away from what some fear was a long-brewing supply-chain disaster. Companies like FireEye and Microsoft also diverted resources to help to secure the recent election were also breached during the attack.

Summarising SolarWinds’ role in the fiasco, New York Times journalists noted,

“SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators. Its chief executive, Kevin B. Thompson, who is leaving his job after 11 years, has sidestepped the question of whether his company should have detected the intrusion…Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.”

As mentioned above, much of how the attack transpired is still coming to light. This drip of information can be expected for some time to come. As to the aim of the attack, Suzanne Spaulding, who was the senior cyber official at the Homeland Security Department during the Obama administration believes that the attack may have been for far more than cyberespionage. The attack may have been to gain leverage on the new administration led by President-Elect Biden in the hope that this can influence decisions made by the new government.

SolarWinds has also come under significant pressure of late, which is understandable given the scope of the attack. Speaking to the New York Times former SolarWinds employees have criticized the company for not making security a priority while developing software that was to be used by government agencies. The employees further went on to explain that the company under Mr. Thompson, an account and chief financial officer before leading the company, prioritized cost savings over best security practices as these do have a significant cost attached.

These measures did help triple the company’s income in less than ten years but now the sustainability of the decision will be questioned. Part of this cost savings policy set up satellite offices in Eastern Europe, as many professionals in Poland, the Czech Republic, and Belarus demand far less than equally qualified US counterparts in terms of salary. US officials fear these satellite offices may have been initially compromised by Russian hackers. This is plausible as the satellite offices would have broad access to the Orion (the SolarWinds product compromised) network.

Microsoft Source Code Accessed

Microsoft announced just before the new year approached that during the SolarWinds attack the attackers managed to escalate access inside Microsoft's internal network and gain access to a small number of internal accounts, which they used to access Microsoft source code repositories. Further, the tech giant noted that none of the source code was altered as the compromised accounts could only view code, not change it in any way. In the blog post, Microsoft went to great pains to state that the attack did not reach production systems, customer data, or use Microsoft products to attack Microsoft customers. In their words,

“Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.”

Microsoft has downplayed the incident noting,

“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft…This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn't tied to elevation of risk,”

This approach to source code is possibly a result of the source code to popular Microsoft products, including almost all of their recent OS releases, being leaked on several occasions. The reason why Microsoft was compromised this time is that the company used SolarWinds Orion, an IT monitoring platform, inside its internal network. Microsoft found that the same malware which had affected numerous other organizations and government departments used in the attack was on their systems as well. The tech giant was one of the first major companies to admit that they had been compromised. As to the seriousness of having their source viewed, time will tell but for the moment it seems we must accept Microsoft’s explanation.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal