The CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau of Investigation), the NSA (National Security Agency), and the ODNI (Office of the Director of National Intelligence) have released a joint statement to inform the American people about their progress in the investigation of the recent “Solar Winds” supply chain attacks that have shaken the field fundamentally. Moreover, they announce their unification for this purpose under a single task force known as UCG (Cyber Unified Coordination Group), aiming to speed up the process and create a convergence mechanism for the various investigating agencies.
From what can be confirmed at this point, the actors are indeed of a Russian origin, and the evidence points to a single APT as the responsible entity for most or even all of the discovered compromises. As for how many there are, the UCG believes that the number of the public and private sector customers who have been affected is approximately 18,000, all receiving the “Sunburst” backdoor via the malicious update on the Orion app. So, in summary, the joint statement gives us no new information about the actual attack, and the formation of the UCG is the key point here.
In the context of the new collaborative effort, the FBI will focus on identifying the victims, the collection and analysis of evidence, and the attribution. CISA will focus on sharing information with governmental and private sector entities and will also release a free tool to help organizations detect potentially malicious activity relevant to the “Sunburst” malware.
ODNI will provide support by driving mitigation and response activities, as well as for the creation of situational awareness for key stakeholders. And finally, the NSA will provide intelligence, expertise, and actionable guidance.
Sounds great, but the truth is that a lot of time has already passed and too much information about the attack still is unclear. If a task force like the one described above had been available in previous years, supply chain attacks like the recent one against Solar Winds could have been averted, or their effects could be greatly mitigated. Additionally, experts in the industry all agree that U.S. agencies are spending energy and resources on culprit identification, whereas they should be focused on improving defenses.
Brandon Hoffman, CISO at Netenrich comments: