Last night, the US Cybersecurity and Infrastructure Security Agency (CISA) announced a task force dedicated to tracking the SolarWinds breach. The new Cyber Unified Coordination Group (UCG) consists of CISA, FBI and the Office of the Director of National Intelligence (ODNI) with support from the NSA. Given the seriousness of the breach, a three-week delay before creating the task force seems wasteful.
One of the tasks for the CSG will be in determining the size and impact of the attack. In its announcement, CISA states: “of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten US government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.”
The numbers affected may eventually be much lower than initially thought. However, it will take months for organisations to thoroughly clean their systems and data. That assumes, of course, that they can identify every intrusion and piece of malware. Given how effectively the attackers pivoted their attack from the entry point, that is a major challenge.
The FBI has been tasked with leading the effort to identify any victims of this attack.
The finger is still pointing at Russia
Despite attempts from some quarters of the US Government to blame China, the finger is still pointing at Russia. The press release states: “This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”
The problem with attribution of this type of attack is that there is rarely a smoking gun. As has been seen in many attacks, not least the attack on German politicians two years ago, it is easy to make mistakes. However, given the amount of information now gathered by the task force and independent security companies, it would be a serious shock if it turns out not to be Russian in origin.
What will be of interest is exactly what the hackers were/are after. The current belief is intelligence data as confirmed by CISA: “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
Whether this will help focus the search for those affected is yet to be seen. For example, without an idea of what type of intelligence was being targeted, the search net gets very large. Accessing Microsoft source code seems to be more researching new exploits compared to intelligence from government departments. That said, the scope of the affected companies speaks to a wide agenda which is what will make this harder to defeat.
Enterprise Times: What does this mean?
Creating a UCG to handle this situation should have been the first reaction. Leaving it three weeks means that there is now a wealth of duplicated effort and information to rationalise. It has also split the effort in tracking down those responsible and coming up with solutions.
That said, all the agencies involved have been putting out useful information about the attack. There are tools to detect known malware left behind and known indicators of compromise. If this new body can create a single site to track and remediate the attack’s impact, it will benefit a lot of people.
One thing that is certain is while most task forces have a defined goal and expected time to operate, this one will still be running years from now. The big question is, will it ever bring anyone to justice?