The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are looking into last week’s spear-phishing campaign targeting the United States Agency for International Development (USAID), and have not found any “significant impact” to Federal agencies, according to a May 28 joint statement.
CISA and the FBI say approximately 350 organizations – both Federal agencies and private sector entities – were affected by the attack. That estimate is a significant increase from the originally estimated 150 organizations.
“At this point, CISA has not identified significant impact on Federal government agencies resulting from these activities,” the joint statement says. “CISA continues to work with the FBI to understand the scope of these activities and assist potentially impacted entities.”
In addition to the joint statement, the FBI and CISA released a joint activity alert with information on the type of attack and mitigation efforts. At the top of that list of mitigation efforts is having multi-factor authentication on every account, a directive also required for Federal agencies in the White House’s Cyber Executive Order.
Microsoft attributed the attack to the Russian-backed group Nobelium, the same group responsible for the SolarWinds attack and other parts of the ongoing Sunburst campaign. The joint activity alert acknowledges that attribution but declines to definitively say Nobelium is responsible at this time.
“CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear),” the activity alert says. “However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI will update this Joint Cybersecurity Advisory as new information becomes available.”