The US government’s response groups for dealing with recent SolarWinds and Microsoft Exchange vulnerabilities have reached the end of the road.
In a statement on Monday, US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the two Unified Coordination Groups (UCGs) formed in January and March respectively will be disbanded.
“Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures,” said Neuberger.
The SolarWinds incident, disclosed last December and subsequently attributed to the Russian Foreign Intelligence Service (SRV), involved the hacking of SolarWinds’ Orion IT management platform and is believed to have compromised at least nine federal agencies and about 100 private sector organizations.
It was Russia wot did it: SolarWinds hack was done by Kremlin’s APT29 crew, say UK and US
Last week, US President Joseph Biden announced sanctions against Russia for interference in the 2020 US elections and involvement in the SolarWinds attack, among other things.
The Microsoft Exchange flaws – four zero day vulnerabilities fixed in March and two more patched last week – were initially attributed to hackers in China. But subsequent reports showed multiple hacking groups taking advantage of the bugs. Last month, National Security Advisor Jake Sullivan declined to say whether China was to blame and said the scope of the attack is still being investigated.
The US government’s decision to wrap up its intervention efforts follows vulnerability analysis provided by the National Security Agency to Microsoft and the Federal Bureau of Investigation’s extraordinary court-approved intervention to shut down web shells installed on compromised Exchange servers.
The two UCGs may be dissolved, but Neuberger argues that they won’t be forgotten and that what was learned from the response groups will help future government cybersecurity initiatives. She also observed that the federal effort to narrow the more than 16,000 potential SolarWinds targets down to about 100 private sector organizations helped illuminate and mitigate the attacks.
“While this will not be the last major incident, the SolarWinds and Microsoft Exchange UCGs highlight the priority and focus the Administration places on cybersecurity, and at improving incident response for both the US government and the private sector,” said Neuberger.
In an email to The Register, Ed Skoudis, founder of penetration testing biz Counter Hack and Fellow at the SANS Institute, said the attacks were extraordinary in their breadth and scope.
“A bunch of government agencies learned a tremendous amount in coordinating analysis and response for it, especially CISA,” he said. “I really do think that the relationships built in coordinating this response among government agencies and the private sector will serve us well in future attacks, which are inevitable. We’ll be better prepared next time around in responding.”
At the same, Skoudis remains concerned that improved response capabilities won’t help detect or prevent attacks of this sort.
“It’s a really hard problem to solve given the complexity of modern software development environments and the subtlety of very advanced nation-state attackers,” he said. ®