US intelligence and law enforcement agencies investigating the massive hacking campaign targeting American government agencies and private sector companies issued a joint statement Tuesday saying the group responsible “likely originated in Russia” and the attack is believed to be an act of espionage rather than cyber warfare, as some lawmakers have suggested.
While top US officials, including Secretary of State Mike Pompeo, have previously suggested that the hacking campaign was carried out by a Russian-backed group, Tuesday’s joint statement offers the most definitive and concrete assessment about the attack’s origins from agencies investigating the incident.
In short, the statement issued by the Cyber Unified Coordination Group (UCG) clearly acknowledges what US officials and experts have suspected since the data breach was first disclosed last month: the Advanced Persistent Threat (APT) actor responsible is “likely Russian in origin.”
The Cyber Unified Coordination Group, which consists of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), began meeting twice daily since the government was informed about the hack, as it worked to assess the extent of the damage and the possible culprits responsible for the attack.
Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, applauded the statement Tuesday but said he hopes to see more concrete steps taken to address the threat and “a very stern warning that any misuse of compromised networks to produce destructive or harmful effects.”
“I’m glad we’re finally getting at least a tentative attribution from the Administration, although over three weeks after revelation of an intrusion this significant, I would hope that we will begin to see something more definitive, along with a more public pronouncement of US policy towards indiscriminate supply chain infiltrations of this sort in the future,” he said in a statement to CNN.
Tuesday’s assessment that the group behind the attack was likely backed by Russia runs counter to what President Donald Trump has said publicly in the weeks since the data breach first came to light.
Trump has previously questioned intelligence suggesting the hackers were linked to Russia, and he has downplayed the impact of the breach, which top US officials and experts say is historic and could take years to fully understand.
“This was exceptionally well-executed. It was so good that it has to be the Russians because they left behind beacons that would let them get into any system that was affected. It will take time to dig those out. It’s basically setting them up for a year of espionage,” said James Andrew Lewis, cybersecurity and technology expert at the Center for Strategic and International.
Asked for comment on the joint statement Tuesday, the White House referred CNN to the National Security Council, which pointed to a tweet that stated: “President @realDonaldTrump continues to surge all appropriate resources to support the whole-of-government response to the recent cyber incident affecting government networks. We are taking every necessary step to understand the full scope of this incident & respond accordingly.”
US allies that make up the intelligence sharing collective known as “Five Eyes” were notified ahead of time that Tuesday’s statement was coming, according to two sources familiar with the outreach. Multiple sources told CNN that there was some earlier discussion about a joint statement from Five Eyes members but those talks quickly fizzled.
Lingering questions
Despite acknowledging the importance of naming Russia as the country responsible for the hack, an administration official noted that the impact of Tuesday’s statement could be limited by the fact that Trump is leaving office in a matter of weeks.
“Obviously it’s important to call Russia out but at the end of the day it doesn’t matter. It’s espionage. It’s supposed to be deniable, so of course they’ll deny it. And there will be a new administration in two weeks with other pressing priorities, like nuclear talks. The Russians know that too, so none of this will really matter to them,” the official said.
Tuesday’s statement also suggests that US officials do not believe the attack was an act of cyber-warfare, as it “was, and continues to be, an intelligence gathering effort.”
That determination, while preliminary, stands in sharp contrast to the calls for an immediate response by congressional lawmakers on both sides of the aisle who were quick to characterize the breach as an act of war.
Additionally, the statement also reiterated that US officials are still working to understand the full scope of the attack, particularly as it relates to vulnerabilities exposed in SolarWinds software used by a number of government agencies and private sector companies.
For now, investigators believe that a much smaller number of affected government and private sector networks were actually compromised by “follow-on activity” in which hackers were able to exploit their access, according to the statement.
“The UCG believes that, of the approximately 18,000 affected public and private sector customers of SolarWinds’ Orion products, a much smaller number has been compromised by follow-on activity on their systems. We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify the nongovernment entities who also may be impacted,” the statement said.
Yet, it is clear US officials are still working to uncover the full extent of the breach.
A senior administration official told CNN on Monday that well over 250 networks in government and companies had been affected by the hack but that US officials are still trying to assess the damage. “We think it could be a lot more,” the official said.
Morgan Wright, chief security adviser at the cybersecurity firm SentinelOne who previously served as a senior adviser in the US State Department Anti-terrorism Assistance Program also noted that Tuesday’s statement offers little clarity about the number of networks that were affected.
“Even though the UCG believes a much smaller number than 18,000 have been affected, does that mean 2000? 1000? We still lack the context to understand the extent of the penetration and damage. There are additional reports that indicate at least three states, if not more, have also been compromised as well as the federal agencies,” he said in a statement to CNN.
As well as assessing the damage, investigators are working to uncover exactly how the attackers gained access to US networks. The focus on SolarWinds, a private contractor attackers exploited to gain access to potentially thousands of public- and private-sector organizations, is continuing.
The FBI is involved with the case and is examining whether the infiltration involved the company’s operations in Eastern Europe, according to two sources familiar with the matter. The intelligence community is also examining the company’s operations in Eastern Europe.
SolarWinds outsourced a great deal of its technical expertise to employees and software engineers in countries including Belarus, Poland and the Czech Republic. One former National Security Agency official told CNN on Monday that foreign employees working for American IT firms in those countries are considered prime targets for recruitment by Russian intelligence services.
This story has been updated with additional details.
CNN’s Vivian Salama, Brian Fung and Alex Marquardt contributed reporting