Troubling Cyber Attack Necessitates Enhanced Federal Coordination
Government departments form response group to battle “significant and ongoing” cybersecurity attack.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, reported yesterday that the Federal Bureau of Investigation, the Office of the Director of Intelligence and CISA itself had created a Cyber Unified Coordination Group. The move was necessary given the alarming cyber compromise, a Trojan-style attack by threat-actor UNC2452 with ties to Russia. The attack, identified by FireEye, reached North American, European, Asian and Middle Eastern governments, technology firms, telecommunications, consulting companies and other entities, the company said.
The United States response has the FBI, CISA and ODNI—as they are known—working together on a larger coordinated scale to handle the major cyber incident. The FBI is leading the group’s response and is investigating and performing the intelligence needed to attribute, pursue and disrupt the responsible perpetrators, CISA explained. The ODNI is coordinating information gained from the intelligence community about the attack, while CISA leads the asset response activities.
“The Cyber Unified Coordination Group is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities,” a CISA official stated. “This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.”
Earlier in the week, all federal civilian agencies were immediately instructed to examine their networks for any compromise, due to software update weaknesses in SolarWinds Orion Network Management Products. CISA also directed the federal agencies to stop using SolarWinds Orion products.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, CISA Acting Director.
FireEye clarified that the UNC2452 actors entered victims’ networks through orchestrated, Trojanized updates to SolarWinds’ Orion Information Technology monitoring and management software.
“This campaign may have begun as early as Spring 2020 and is currently ongoing,” the company said. “Post-compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”