U.S. agencies agree the cyberattack against the federal government, military and some companies revealed in December was an intelligence gathering operation by Russia.
"This work indicates that an advanced persistent threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the FBI, Cybersecurity and Infrastructure Security Administration and the Office of Director of National Intelligence said in a joint statement Tuesday.
"At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly."
The agencies said the campaign infiltrated the networks of several federal agencies. Among these are the Department of the Treasury, Department of Homeland Security, Department of State, Department of Commerce and the Department of Defense.
"We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted," said the statement.
The agencies also said the cyberattack is a "serious compromise that will require a sustained and dedicated effort to remediate."
They said the attack manipulated software from SolarWinds, Inc., a company making information technology management tools. They said the attack added a vulnerability to SolarWinds updates later used to steal information, manipulate systems or plant trap doors and other exploits.
Intercepting these updates allowed the Russians to distribute malicious computer code to about 18,000 SolarWinds customers. Among these were 425 of U.S. Fortune 500 companies and "all five branches of the U.S. military."
Cybersecurity experts' fear the long-term consequences of the attack might be "really, really bad" since the Russians might have been stealing information for as long as eight months.
Some cybersecurity experts said the attack was likely the handiwork of the Russian hacking group Cozy Bear. Also called the Dukes, Cozy Bear is classified as an "advanced persistent threat" by cybersecurity companies.
Cozy Bear is run by the Foreign Intelligence Service of the Russian Federation, the Russian external intelligence agency that focuses on civilian targets.
A cybersecurity expert said the attack launched by Cozy Bear was "the worst hacking case in the history of America. They got into everything."
In July 2020, Cozy Bear, which hacked the Democratic National Committee before the 2016 U.S. election, stole research related to vaccines and other medicines for COVID-19 being developed in Canada, the U.S. and the UK.
