A White House press briefing Wednesday gave additional context regarding the scope of the SolarWinds hack and the government's response, though key details remain unclear.
Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, said in a press briefing Wednesday that as of her speaking, "9 federal agencies and about 100 private sector companies were compromised" as a result of the SolarWinds supply chain attack disclosed in December. President Biden tapped Neuberger earlier this month to lead the federal government's response to the attacks.
During the briefing, Neuberger did not offer any specifics regarding which federal agencies were hacked nor what data threat actors obtained. Moreover, far fewer than 100 private sector companies have publicly disclosed breaches at this time. FireEye, Microsoft and Malwarebytes have all disclosed breaches by the SolarWinds attackers; other companies, including VMware, Intel and Nvidia, were infected with malicious updates for SolarWinds' Orion software, but the companies said they've found no evidence they were breached through the backdoors in the updates.
Regarding the threat actor responsible, Neuberger said that they are an "advanced persist threat actor" who is "likely of Russian origin," although she stopped short of definitely attributing the attacks to Russia.
The threat actor's motive was also discussed. Neuberger called the attacks against the government an act of "cyberespionage," but added that, "when there is a compromise of this scope and scale, both across government and across the U.S. technology sector to lead to follow-on intrusions, it is more than a single incident of espionage; it's fundamentally of concern for the ability for this to become disruptive."
The deputy national security adviser laid out the government's ongoing response in a three-pronged approach: finding and expelling the threat actor, modernizing federal defenses to reduce future risk, and determining potential response measures.
The "finding and expelling the adversary" section, like the other two, was light on details, only referring to the government "coordinating the interagency response from the National Security Council" and working closely with private sector partners. However, during the press briefing's Q&A section, Neuberger mentioned the investigation being estimated to take "several months."
In reducing future risk, Neuberger mentioned forthcoming executive actions from President Biden.
"We're also working on close to about a dozen things -- likely eight will pass -- that will be part of an upcoming executive action to address the gaps we've identified in our review of this incident," she said.
Neuberger also addressed potential responses from the U.S. government, though she did not specify what those options currently are.
"I know some of you will want to know what kind of options are being contemplated. What I will share with you is how I frame this in my own mind," she said. "This isn't the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners. So as we contemplate future response options, we're considering holistically what those activities were."
There have been discussions about potential SolarWinds responses this week following Sunday's episode of 60 Minutes and its accompanying "60 Minutes Overtime" segment, which made a case for hacking back against the threat actors. Hacking back and offensive cybersecurity measures have been a controversial topic in the infosec community, as many experts have warned about attribution challenges and unintended consequences of such measures.
Alexander Culafi is a writer, journalist and podcaster based in Boston.