The FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) have formed a joint response team to coordinate the federal government’s response to recently disclosed large-scale hack of government and private networks reportedly carried out by a Russian intelligence service.
The three U.S. agencies on Wednesday evening issued a statement that their Cyber Unified Coordination Group (UCG) will “coordinate a whole-of-government response to this significant cyber incident.”
The statement doesn’t attribute the attack to Russia and the federal government has yet to do so as well, at least publicly. The cyber security firm FireEye [FEYE], which sells its products and services to the public and private sectors, first disclosed the hack on Dec. 9, saying the company was targeted “by a nation with top-tier offensive capabilities” who stole tools FireEye uses help its customers probe for vulnerabilities in their networks.
The FireEye statement, issued by its CEO Kevin Mandia, said the hack against his company was carried out using new techniques and was “related to certain government customers.”
That statement by the UCG outlined the roles and responsibilities of the three agencies in responding to the cyber incursion with the FBI working with victims to discern the “indicators” to allow its government partners to act on.
CISA, which is part of the Department of Homeland Security and works to strengthen the cyber security posture of the federal civilian government and private sector, at the outset of this week issued an emergency directive directing civilian agencies to disconnect or power down network management and monitoring software provided by SolarWinds [SWI].
The nation-state behind the hacking somehow first gained access to SolarWinds and was able to insert malware into software updates, commonly called patches, that its customers routinely apply to the products they have acquired from the company. FireEye on Dec. 13 said the hacking campaign may have begun in the spring and continues.
The FBI, CISA and ODNI stated that “This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.
CISA on Thursday also released a new alert that in addition to the SolarWinds Orion platform, it has evidence that other channels were used to gain access to breached networks by the threat actor. The agency said it will update the alert as more information is discovered.
The establishment of the UCG highlights the serious nature of ongoing cyber campaign against the government but doesn’t describe the what damage has been done.
Thomas Bossert, who served as President Trump’s homeland security adviser until April 2018, wrote in a Dec. 16 opinion piece in the New York Times that “The magnitude of this ongoing attack is hard to overstate. The Russians have had access to a considerable number of important and sensitive networks for six to nine months.”
He went on to say that the government must assume that the S.V.R., which is the Russian Foreign Intelligence Service, has control of the networks it gained access to, which means “they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they used their access for malign influence and misinformation—both hallmarks of Russian behavior.”
Bossert said it will take years before the U.S. knows what networks the Russians control.
The joint agency statement said that CISA is working with the private and public sectors to mitigate impacts from the hack and to make sure victims know the extent to which they were exposed to the intrusion.
The ODNI is working across the intelligence community to bring its collective resources to bear on the campaign and ensure that relevant information is being shared across the government.