The Biden administration has decided to stand down two emergency response groups recently established to drive a coordinated government response to the SolarWinds attack and exploits targeting critical Microsoft Exchange Server vulnerabilities.
Lessons learned from the two so-called Unified Coordination Groups (UCGs) will be used to help improve future government responses to major cyber incidents, said Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, on Monday.
"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," Neuberger said in a statement.
The Trump White House established the first UGC in early January following news of the SolarWinds breach. The attack resulted in malware being distributed to some 18,000 organizations around the world including government agencies, private companies, and technology firms. The task force, comprised of security teams from the FBI, the DHS' Cybersecurity & Infrastructure Security Agency (CISA), and the ODNI, was set up to drive a coordinated investigation and response for the attack, which involved federal government networks.
The Biden administration established a similar UGC in March, this time in response to news about attacks targeting four newly disclosed zero-day vulnerabilities in the widely used Microsoft Exchange Server. Unlike the first task force, this one also encouraged participation from private sector organizations.
Neuberger pointed to several lessons learned from the two UGCs in announcing the decision to wind them down. For example, by involving industry players and multiple legal authorities, the earlier UGC was able to accurately scope the SolarWinds attack and determine that fewer than 100 organizations were actually targeted in secondary attacks from a worst-case scenario of 16,800 organizations. "This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities," Neuberger said.
Similarly, active partnerships with private companies resulted in the expedited availability of a one-click tool from Microsoft for simplifying and accelerating patching and cleanup efforts at organizations affected in the Exchange Server attacks. "CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident," Neuberger noted.
Many security experts have described the attack on SolarWinds as one of the worst in recent memory. The attack, which the US government last week formally attributed to Russia's Foreign Intelligence Service (SVR), has drawn widespread attention for the sophisticated malware used and extensive operational security that the attackers maintained throughout their campaign.
More than 18,000 organizations received malware hidden in legitimate updates of SolarWinds' Orion network management software. A handful of them, including fewer than 10 US federal agencies and companies such as FireEye and Mimecast, were later subjected to further exploits and data theft. FireEye had a collection of its red-team tools stolen, and Mimecast said some of its source code was taken in the attack.
In identifying SVR as the mastermind behind the SolarWinds campaign, the US Treasury Department also announced sanctions against multiple Russian IT security firms for helping the intelligence service in its campaign.
The more recent attacks on Microsoft Exchange Server also evoked substantial concern because of how widely used the technology is within US government and private networks. A cyber espionage group called Hafnium, which Microsoft says is a state-sponsored group operating out of China, was believed primarily responsible for many early attacks targeting the four bugs in Exchange Server. However, by March, multiple attackers were believed to be exploiting the flaws to carry out a range of malicious activities including stealing copies of Microsoft AD databases, dumping credentials, moving laterally and writing web shells that future attackers can exploit — the most troubling finding, researchers say.