The US government has accused Russia of being behind the recent SolarWinds attack, which is considered to be among the most significant of 2020.
On Tuesday, four US security agencies, all members of a task force set up specifically to investigate the SolarWinds attack, issued a joint statement claiming the attack was “likely Russian in origin”.
The agencies in question are: the FBI, NSA, CISA (Cybersecurity and Infrastructure Security Agency) and ODNI (Office of the Director of National Intelligence), which form the the Cyber Unified Coordination Group (UCG).
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the statement reads.
“At this time, we believe this was, and continues to be, an intelligence gathering effort.”
Commentators have suggested the statement is important for two reasons. First, it addressed public criticism of President Trump, who had refrained from blaming Russia. Second, it describes the attack as an “intelligence gathering effort”, which should rule out theories that the goal of the attack was to tamper with voting machines and facilitate election fraud.
The statement does not name names, but experts claim cybercriminal syndicate APT29, linked with multiple previous high-profile breaches, could be behind the attack.
The group responsible used a compromised Office 365 account to breach SolarWinds’ network and plant malicious code into a patch for its Orion software. A total of 18,000 businesses and government agencies downloaded the patch.
The goal was for the patch to act as a gate-opener, allowing the criminals to install second-stage malware, Teardrop. According to the statement, “fewer than ten US government agencies” were targeted with Teardrop.
To add insult to injury, SolarWinds’ shareholders have also filed a lawsuit against the company’s leaders, arguing that they knew about the breach and didn’t tell them.
They also claim SolarWinds’ cybersecurity practices were not up to industry standards, and that the company even used a server password of “solarwinds123”.
Investors are seeking damages for “reasonable costs and expenses incurred”, lawyer fees and court fines against the company.