the staff of the Ridgewood blog
Ridgewood NJ, in an internal investigation into December 13th SolarWinds applications hack , Microsoft reported the following , “Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.
As we previously reported, we detected malicious SolarWinds applications in our environment, which we isolated and removed. Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens against our corporate domains.
Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.
We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
On November 13th The Cybersecurity & Infrastructure Security Agency and the Election Infrastructure Government Coordinating Council, both within the Department of Homeland Security, issued a joint statement in which they declared this election ‘the most secure in American history’.
In a joint statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) on December 16th after the SolarWinds hack said :
“Over the course of the past several days, the FBI, CISA, and ODNI have become aware of a significant and ongoing cybersecurity campaign. Pursuant to Presidential Policy Directive (PPD) 41, the FBI, CISA, and ODNI have formed a Cyber Unified Coordination Group (UCG) to coordinate a whole-of-government response to this significant cyber incident. The UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities. This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.
As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. The FBI is engaging with known and suspected victims, and information gained through FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action.
As the lead for asset response activities, CISA took immediate action and issued an Emergency Directive instructing federal civilian agencies to immediately disconnect or power down affected SolarWinds Orion products from their network. CISA remains in regular contact with our government, private sector and international partners, providing technical assistance upon request, and making needed information and resources available to help those affected recover quickly from this incident. CISA is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises.
As the lead for intelligence support and related activities, ODNI is helping to marshal all of the Intelligence Community’s relevant resources to support this effort and share information across the United States Government.
To report suspicious or criminal activity related to information found in this statement, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices. To request incident response resources or technical assistance related to this statement, visit https://www.us-cert.gov/report; or email Central@cisa.gov. “