White House: SolarWinds Hack Impacted 9 Fed Agencies, 100 Entities

February 18, 2021 - At a White House press briefing on Wednesday, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger confirmed that the SolarWinds Orion compromise claimed nine federal agencies and 100 private sector organizations as victims.

Neuberger was recently appointed as lead investigator for the federal response to the global supply chain attack.

In total, it’s estimated that 18,000 entities downloaded a malicious update of the Orion platform, which hackers hijacked with malware in the Spring of 2020. The Office for Civil Rights first warned the healthcare sector of the threat in mid-December.

At the time, SolarWinds and FireEye, which confirmed it had been hacked as a result of the Orion attack, confirmed that the attacker was highly sophisticated. By leveraging the trojanized update, the hackers were able to gain access to public and private sector entities.

According to Neuberger, the final impact of the global supply chain attack is still unclear, but it’s expected the final breach tally will be far greater than current estimates.

Further, it’s expected that the attacker was an advanced persistent threat (APT), with likely nation-state ties. A federal task force previously tied the attack to Russian-backed hackers.

“This is a sophisticated actor who did their best to hide their tracks,” said Neuberger. “We believe it took them months to plan and execute this compromise. It’ll take us some time to uncover this, layer by layer.”

“The scale of potential access far exceeded the number of known compromises,” she added. “Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions.”

To Neuberger, the level of knowledge the hackers demonstrated to compromise the attack, spotlights the sophistication of their methods. The scope and scale of the network and impacted information further stresses that this attack “was more than an isolated case of espionage.”

The investigation, so far, has determined that any files or emails on a compromised network were likely breached. 

Further, the attack highlighted that there’s a lack of visibility that makes it difficult for the government to observe these activities. These challenges extend to federal networks, where both cultures and authorities stymie efforts to share threat information, she explained.

Federal investigators are currently working to find and expel the adversaries, then work to modernize federal defenses to prevent a recurrence and reduce the risk to federal networks. Neuberger stressed the team has not ruled out response options for the hackers behind the attacks.

The investigators are coordinating the interagency response from the National Security Council and daily conversations with private sector partners. Neuberger said that there will likely be an upcoming executive action to address the gaps identified in the review of the incident.

“They have visibility and technology that is key to understanding the scope and scale of compromise,” she added. “There are legal barriers and disincentives to the private sector sharing information with the government. That is something we need to overcome.”

“We’re absolutely committed to reducing the risk this happens again,” Neuberger stressed. “If you can’t see a network, you can’t defend a network. And federal networks’ cybersecurity need investment and more of an integrated approach to detect and block such threats.”

The investigation is ongoing and is predicted to last at least several more months. Security researchers have long stressed the serious impact that the incident will have across all sectors and have already found further malware evidence related to vulnerabilities in SolarWinds.

These potential exploits include compromised Microsoft O365 accounts and the abuse of authentication mechanisms.

Healthcare organizations should review the Department of Homeland Security’s resource page on the threat to ensure they’ve implemented necessary steps to prevent or remediate potential compromises.