{
	"id": "e20c7c68-e064-4637-8bfe-f6a8436f0eb1",
	"created_at": "2026-04-06T00:20:16.433769Z",
	"updated_at": "2026-04-10T13:11:23.927498Z",
	"deleted_at": null,
	"sha1_hash": "1f34fa70c0d1d2e53d25c4452c75452a28eb7788",
	"title": "Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41394,
	"plain_text": "Joint Statement by the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), the\r\nOffice of the Director of National Intelligence (ODNI), and the\r\nNational Security Agency (NSA) | CISA\r\nPublished: 2021-01-05 · Archived: 2026-04-05 19:18:22 UTC\r\nOn behalf of President Trump, the National Security Council staff has stood up a task force construct known as the\r\nCyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from NSA, to\r\ncoordinate the investigation and remediation of this significant cyber incident involving federal government\r\nnetworks. The UCG is still working to understand the scope of the incident but has the following updates on its\r\ninvestigative and mitigation efforts.\r\nThis work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for\r\nmost or all of the recently discovered, ongoing cyber compromises of both government and non-governmental\r\nnetworks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all\r\nnecessary steps to understand the full scope of this campaign and respond accordingly.\r\nThe UCG believes that, of the approximately 18,000 affected public and private sector customers of Solar Winds’\r\nOrion product, a much smaller number have been compromised by follow-on activity on their systems. We have\r\nso far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify\r\nand notify the nongovernment entities who also may be impacted. \r\nThis is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial\r\ndiscovery, the UCG, including hardworking professionals across the United States Government, as well as our\r\nprivate sector partners have been working non-stop. These efforts did not let up through the holidays. The UCG\r\nwill continue taking every necessary action to investigate, remediate, and share information with our partners and\r\nthe American people.\r\nAs the lead agency for threat response, the FBI’s investigation is presently focused on four critical lines of effort:\r\nidentifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing\r\nresults with our government and private sector partners to inform operations, the intelligence picture, and network\r\ndefense.\r\nAs the lead for asset response, CISA is focused on sharing information quickly with our government and private\r\nsector partners as we work to understand the extent of this campaign and the level of exploitation. CISA has also\r\ncreated a free tool for detecting unusual and potentially malicious activity related to this incident. In an\r\nEmergency Directive posted December 14, CISA directed the rapid disconnect or power-down of affected\r\nSolarWinds Orion products from federal networks. CISA also issued a technical alert providing technical details\r\nand mitigation strategies to help network defenders take immediate action. CISA will continue to share any known\r\ndetails as they become available.\r\nhttps://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure\r\nPage 1 of 2\n\nAs the lead for intelligence support and related activities, ODNI is coordinating the Intelligence Community to\r\nensure the UCG has the most up-to-date intelligence to drive United States Government mitigation and response\r\nactivities. Further, as part of its information-sharing mission, ODNI is providing situational awareness for key\r\nstakeholders and coordinating intelligence collection activities to address knowledge gaps.\r\nLastly, the NSA is supporting the UCG by providing intelligence, cybersecurity expertise, and actionable guidance\r\nto the UCG partners, as well as National Security Systems, Department of Defense, and Defense Industrial Base\r\nsystem owners. NSA’s engagement with both the UCG and industry partners is focused on assessing the scale and\r\nscope of the incident, as well as providing technical mitigation measures.\r\nThe UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that\r\nevidence is preserved and collected. Additional information, including indicators of compromise, will be made\r\npublic as they become available.\r\nFor additional resources please see:\r\nCISA suspicious activity detection tool: https://github.com/cisagov/Sparrow\r\n12/22 FBI Private Industry Notification\r\nCISA Insights: What Every Leader Needs to Know About the Ongoing APT Cyber Activity\r\nCISA Alert: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and\r\nPrivate Sector Organizations\r\nNSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud\r\nResources\r\nDecember 16, 2020 Joint UCG Statement\r\n###\r\nSource: https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure\r\nhttps://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure"
	],
	"report_names": [
		"joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f34fa70c0d1d2e53d25c4452c75452a28eb7788.pdf",
		"text": "https://archive.orkl.eu/1f34fa70c0d1d2e53d25c4452c75452a28eb7788.txt",
		"img": "https://archive.orkl.eu/1f34fa70c0d1d2e53d25c4452c75452a28eb7788.jpg"
	}
}