- U.S. intelligence agencies join forces under a new task force called UCG (Cyber Unified Coordination Group).
- The goal is to speed up the investigations on the recent “Solar Winds” attacks that did tremendous damage in America.
- Experts in the industry feel that this is too little too late and even focused on the wrong things.
The CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau of Investigation), the NSA (National Security Agency), and the ODNI (Office of the Director of National Intelligence) have released a joint statement to inform the American people about their progress in the investigation of the recent “Solar Winds” supply chain attacks that have shaken the field fundamentally. Moreover, they announce their unification for this purpose under a single task force known as UCG (Cyber Unified Coordination Group), aiming to speed up the process and create a convergence mechanism for the various investigating agencies.
From what can be confirmed at this point, the actors are indeed of a Russian origin, and the evidence points to a single APT as the responsible entity for most or even all of the discovered compromises. As for how many there are, the UCG believes that the number of the public and private sector customers who have been affected is approximately 18,000, all receiving the “Sunburst” backdoor via the malicious update on the Orion app. So, in summary, the joint statement gives us no new information about the actual attack, and the formation of the UCG is the key point here.
In the context of the new collaborative effort, the FBI will focus on identifying the victims, the collection and analysis of evidence, and the attribution. CISA will focus on sharing information with governmental and private sector entities and will also release a free tool to help organizations detect potentially malicious activity relevant to the “Sunburst” malware.
ODNI will provide support by driving mitigation and response activities, as well as for the creation of situational awareness for key stakeholders. And finally, the NSA will provide intelligence, expertise, and actionable guidance.
Sounds great, but the truth is that a lot of time has already passed and too much information about the attack still is unclear. If a task force like the one described above had been available in previous years, supply chain attacks like the recent one against Solar Winds could have been averted, or their effects could be greatly mitigated. Additionally, experts in the industry all agree that U.S. agencies are spending energy and resources on culprit identification, whereas they should be focused on improving defenses.
Brandon Hoffman, CISO at Netenrich comments:
Truthfully this feels a lot like ‘a day late and a dollar short.’ The government should have already had a rapid response coordinated unit with these capabilities years ago. Maybe they did, and we are only finding out now, but if they didn’t, that seems appalling considering that is what’s expected of private sector organizations for years. A parallel stream to the current triage should be an examination of why our defenses and other early warning systems failed so miserably. This should be considered a critical effort. While we are busy triaging, there are most certainly additional or follow-on attempts by other adversaries across the globe. There’s blood in the water, and everybody smells it.