CISA: SolarWinds backdoor attacks are 'ongoing'

The SolarWinds backdoor attacks are ongoing, according to a joint statement by the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence.

The agencies Wednesday announced the creation of the Cyber Unified Coordination Group (UCG) to handle response across the federal government to what it refers to as "a significant cyber incident." That incident was revealed Sunday when FireEye disclosed that nation-state actors conducted a successful supply chain attack on SolarWinds and placed a backdoor in the software vendor's Orion platform; the backdoor was used by threat actors to breach FireEye as well as several U.S. government agencies.

Wednesday's update detailed how the FBI is working with known and suspected victims to gain intelligence for network defenders and government partners. The statement also referred to the Emergency Directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) on Monday, which called for the immediate power down of SolarWinds Orion products. While it was revealed that SolarWinds Orion supplied government agencies, the statement Wednesday is the first official response to acknowledge the compromise of the federal government agencies.

"Over the course of the past several days, the FBI, CISA, and ODNI have become aware of a significant and ongoing cybersecurity campaign," the joint statement said. "This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government."

The joint statement did not specify which agencies were breached, or the threat actors behind the massive cyber attack.

Originally, CISA said the SolarWinds supply chain attack only affected the Orion platform. However, the agency issued an alert Thursday that revealed the threat actors behind the campaign used other techniques to breach their targets. CISA said it has "evidence that the Orion supply chain compromise is not the only initial infection vector leveraged by the APT actor."

"CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this alert as new information becomes available," the alert said.

The CISA alert said U.S. government agencies, critical infrastructure entities and private sector organizations have been compromised as a result of the ongoing attacks, which pose a "grave risk" to all such organizations.

"This threat actor has demonstrated sophistication and complex tradecraft in these intrusions," the alert said. "CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks."

According to Cybereason CEO Lior Div, the timing of the SolarWinds supply chain attack was planned to take advantage of the transition currently taking place in the White House. Cybereason believes that it was a Russian state-sponsored attack, as several media outlets have also reported, though that has not been confirmed by the federal government.

"When there is a change in the president and specifically change that's drastic between two almost opposing ways of thinking, Russians are taking this position because they know the current administration won't respond and the incoming one can't respond. There's a window of opportunity to do whatever they want," he said.