Federal law enforcement and intelligence agencies said today they believe that “fewer than 10” Federal agencies have been targeted by “follow-on” activity after initial breaches in the Russia-directed hacking of government networks via SolarWinds Orion products.

That’s the top-line news from an update released today by the government’s Cyber Unified Coordination Group (UCG) that includes the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) with support from the National Security Agency (NSA.)

The UCG said it is “still working to understand the scope of the incident,” but confirmed that the SolarWinds hack was conducted by an advanced persistent threat (APT) actor “likely Russian in origin,” and that the purpose the widespread network intrusions “was, and continues to be, an intelligence gathering effort.”

“We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” UCG said.

The group of security and intelligence agencies said the potential scope of the cyber attack was vast – and has encompassed about 18,000 public and private sector SolarWinds customers. But of that total, “a much smaller number have been compromised by follow-on activity on their systems,” the agencies said.

“We have so far identified fewer than ten U.S. government agencies” that have been subject to the follow-on activities, the UCG agencies said.

The UCG agencies did not name Federal agencies that have fallen victim to the attacks, either in the category of exposed in general, or subject to more extensive “follow-on” breaches.

The departments of Treasury, Commerce, State, and Homeland Security, along with the National Institutes of Health, have been named by some members of Congress as agencies impacted by the SolarWinds breach.

But the UCG agencies said the remediation effort has been, and will continue to be, substantial.

“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the agencies said.

“Since its initial discovery, the UCG, including hardworking professionals across the United States Government, as well as our private sector partners have been working non-stop,” they said. “These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people.”

They said the FBI has taken the role of lead agency for threat response, and that its investigation is “presently focused on four critical lines of effort: identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defense.”

CISA is the lead agency for “asset response,” and is “focused on sharing information quickly with our government and private sector partners as we work to understand the extent of this campaign and the level of exploitation.” When news of the SolarWinds hack first surfaced in December, CISA warned that it posed a “grave risk” to government, critical infrastructure, and private sector networks, and ordered a rapid disconnect or power-down of affected SolarWinds Orion products from Federal networks. “CISA will continue to share any known details as they become available,” the UCG agencies said today.

The agencies said today that ODNI is taking the lead for intelligence support and related activities, and NSA is “supporting the UCG by providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners, as well as National Security Systems, Department of Defense, and Defense Industrial Base system owners,” along with providing technical mitigation measures.

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.