US Security Agencies Say SolarWinds Hack ‘Likely Russian in Origin’

January 6, 2021 Updated: January 6, 2021

Top U.S. government agencies said Tuesday that Russia was likely behind the hack of SolarWinds technology, which caused a breach of U.S. government systems, calling it “a serious compromise that will require a sustained and dedicated effort to remediate.”

The federal security agencies in a rare joint statement said they believe, based on evidence so far, that the hacking effort was intended for “intelligence gathering,” as opposed to an attempt to damage or disrupt government operations in the United States.

“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” said the Cyber Unified Coordination Group (UCG), which is composed of the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI), with support from the NSA.

The UCG was formed to respond to the hack.

“At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the statement said.

SolarWinds technology is used by all five branches of the U.S. military and numerous government agencies. The breach was achieved by inserting malware, or malicious code, into software updates for the SolarWinds Orion platform, a widely used network management tool.

Up to 18,000 customers of Texas-based SolarWinds were using the compromised Orion network, the company said in a recent filing to the Securities and Exchange Commission. The company boasted of serving some 300,000 customers around the world in a partial customer listing it has since taken down.

The Commerce Department confirmed to The Epoch Times on Dec. 13 that it had been hacked. The Treasury Department was also reportedly breached.

Microsoft confirmed on Dec. 31 that hackers behind the cyberattack also breached its systems, and were able to access internal Microsoft systems and view source code used to create software products.

A screenshot of Dominion Voting Systems’ website shows use of SolarWinds software. It’s unclear what type of SolarWinds product that Dominion is using. (Screenshot/Dominion Voting Systems)

The national agencies emphasized that the alleged Russian operation was “ongoing,” calling the hack a “serious compromise that will require a sustained and dedicated effort to remediate.”

A partial SolarWinds customer listing that was taken offline showed that its customers also include more than 425 of the U.S. Fortune 500, as well as the Office of the President of the United States.

The same list includes Dominion Voting Systems, a company that provides its voting equipment and software to 28 states and has become a focus of election fraud allegations across the United States. Dominion’s CEO John Poulos told state lawmakers in Michigan on Dec. 15 that the company has never used the SolarWinds Orion products.

But a screenshot of a Dominion web page that The Epoch Times captured shows that Dominion does use SolarWinds technology. Dominion later altered the page to remove any reference to SolarWinds, but the SolarWinds website is still in the page’s source code.

Former senior cybersecurity official Christopher Krebs, who prior to his recent dismissal by President Donald Trump served as CISA director, told CNN’s Jake Tapper last month that he believed the wide-scale cyberattack was conducted by Russia and was possible because of a “seam” in defenses.

“This was a never-before-seen capability that computer systems weren’t designed to detect,” said Krebs, adding that Russia is “exceptionally good at this sort of work.”

Krebs admitted his “failure” to stop the cyberattack, saying: “It happened on my watch … but there is work to do now going forward to make sure, A: we get past this, that we get the Russians out of the networks, but B: that it never happens again.”

Several other U.S. officials have said they believe Russia is behind the cyberattack against SolarWinds, Secretary of State Mike Pompeo told Mark Levin’s radio show last month, adding that while Trump’s administration sees Russia as a threat, it considers China a bigger problem.

The Kremlin has denied any involvement.

Mimi Nguyen Ly and The Associated Press contributed to this report.