The National Security Council staff has launched a task force to coordinate the investigation and remediation of the recent Solar Winds cyberattack involving federal government networks.
The task force — called the Cyber Unified Coordination Group (UCG) — is composed of representatives from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA).
Ultimately, the UCG remains focused on ensuring that victims are identified and able to remediate their systems and that evidence is preserved and collected. While the UCG will work to further understand the scope of the incident, it already has made some determinations.
Among them, it believes that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.
“At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the officials said in a joint statement.
Also, the UCG believes that, of the approximately 18,000 affected public and private sector customers of SolarWinds’ Orion products, a smaller number has been compromised by follow-on activity. They have identified fewer than 10 U.S. government agencies that fall into this category. They are currently working to identify the nongovernment entities who also may be impacted.
“This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the U.S. government, as well as our private sector partners, have been working non-stop. These efforts have not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people,” the officials said.
The FBI, the lead agency for threat response, is focusing the investigation on four critical lines of effort: identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with government and private sector partners.
The CISA, as the lead for asset response, is focused on sharing information quickly with government and private sector partners. CISA has created a free tool for detecting unusual and potentially malicious activity related to this incident.
Further, ODNI, as the lead for intelligence support and related activities, is coordinating the Intelligence Community to ensure the UCG has the most up-to-date intelligence to drive U. S. government mitigation and response activities. ODNI is providing situational awareness for key stakeholders and coordinating intelligence collection activities to address knowledge gaps.
Finally, the NSA is supporting the UCG by providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners, as well as National Security Systems, Department of Defense, and Defense Industrial Base system owners. NSA is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures.