The Cyber Unified Coordination Group said in a statement on Tuesday that fewer than 10 government agencies have been "compromised by follow-on activity" on federal systems as a result of the hack.
The White House task force investigating the widespread hack of U.S. networks said today that Russia is the likely culprit.
Analysts and some administration officials have suggested a Russian intelligence service is behind the hack of SolarWinds' Orion product, but the statement from the Cyber Unified Coordination Group, which includes the FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence, is the first time the federal government has explicitly attributed the attack to Russia.
"This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the statement reads.
The group also said that it has identified fewer than 10 government agencies that were explicitly targeted by hackers with follow-on activity using the access provided by the SolarWinds breach.
The group's statement references an initial estimate by SolarWinds that said 18,000 "public and private sector customers" downloaded the malicious code implanted within the company’s update server for its Orion IT management software.
But officials believe "a much smaller number have been compromised by follow-on activity on their systems" – and these include fewer than 10 government agencies. The group is also "working to identify and notify the nongovernment entities who also may be impacted."
Microsoft and cybersecurity firm FireEye last month estimated several dozen organizations were victimized by hackers beyond merely downloading the backdoor vulnerability discovered in SolarWinds Orion. The New York Times over the weekend the reported that intelligence officials now believes that 250 organizations may have been "affected."
In the wake of the ongoing breach, some lawmakers have suggested the hack was an act of war. Other lawmakers and analysts have pointed out merely breaching the government's systems is espionage, but does not constitute an act of war.
The government assessment is that the hack falls under the category of espionage.
"At this time, we believe this was, and continues to be, an intelligence gathering effort," the statement reads.
The statement also details the roles and responsibilities of the task force agencies, and notes that NSA is working with defense industrial base system owners to assess "the scale and scope of the incident" and provide mitigation assistance. No defense contractors have yet been identified as targets of the SolarWinds breach. Officials at the Departments of Defense, Treasury, Commerce and Homeland Security have confirmed that they were affected by the breach. Press reports have named other agencies including the State Department and the National Institutes of Health as targets.
President Donald Trump has previously suggested China was behind the hack. That claim was not mentioned in the task force statement