Russia blamed for SolarWinds hack in joint FBI, NSA and CISA statement

The US intelligence agencies investigating the widespread compromise say it was "likely" orchestrated from Russia

Corinne Reichert Senior Writer
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently oversees the CNET breaking news desk for the West Coast. Corinne covers everything from phones, social media and security to movies, politics, 5G and pop culture. In her spare time, she watches soccer games, F1 races and Disney movies.
Expertise News
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Corinne Reichert
Laura Hautala
2 min read

The SolarWinds attack likely came from Russia, the FBI has said.

CNET/Amanda Kooser

Key government intelligence agencies said Tuesday that the SolarWinds hack is "likely Russian in origin," according to a joint statement from the FBI, NSA , Cybersecurity and Infrastructure Security Agency and Office of the Director of National Intelligence. It's the first time the four agencies have attributed the cyber attack to Russia.

"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the statement said. "At this time, we believe this was, and continues to be, an intelligence gathering effort."

Read more: SolarWinds hack continues to spread: What you need to know

The hack started in March 2020 at the latest, when hackers compromised IT management software from Austin, Texas-based company SolarWinds, which has thousands of customers in the public and private sectors. The hackers placed malicious code into a legitimate update to a widely used SolarWinds software product, and around 18,000 of the company's customers installed the tainted update.

US Secretary of State Mike Pompeo said in an interview in December that the hack was likely of Russian origin, but there had been no formal attribution until now. CISA issued a statement in December acknowledging an ongoing compromise, carried out by an advanced persistent threat, affecting government and private organizations.

Advanced persistent threats are hacking groups identified by cybersecurity experts and government intelligence agencies that appear to have significant resources and skills, and are frequently affiliated with a nation-state. Tuesday's statement didn't attribute the SolarWinds hack to a specific APT, but government sources have reportedly blamed APT29, nicknamed Cozy Bear, for the attack.

The Cyber Unified Coordination Group, made up of the FBI, NSA, CISA and ODNI, continues to investigate the hack. The joint statement added that, of the 18,000 affected organizations, a much smaller number were "compromised by follow-on activity on their systems." The targets that saw further compromise after installing the tainted update include fewer than 10 government agencies.

The breach reportedly included an email system used by senior leadership at the Treasury Department. Government officials have confirmed breaches at the Treasury Department as well as the Departments of Energy and Commerce. The hack also reportedly hit the Department of Homeland Security, the Pentagon and the State Department, as well as the National Institutes of Health and the National Nuclear Security Administration.