CISA head: Group of SolarWinds victims is 'solidified'

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, also said his agency is still working to determine if any federal networks were compromised by vulnerabilities discovered in Microsoft Exchange.

alert (Rawpixel.com/Shutterstock.com)
 

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, said on Monday the list of victims from the attack on SolarWinds Orion has "solidified" and he is not expecting many more organizations to come forward.

"When it comes to the SolarWinds and Microsoft Office 365 compromises from last year, I would say the victim space is largely solidified now," Wales said during an online forum hosted by the McCrary Institute at Auburn University in Alabama. "We’re not expecting to see a lot of new victims."

Anne Neuberger, the deputy national security advisor for cyber and emerging technology, has previously said nine federal agencies and roughly 100 private companies were victimized by the campaign against SolarWinds Orion, an IT management software.

Asked a similar question about victims of the recently discovered vulnerabilities in Microsoft Exchange, Wales said CISA is continuing to work with federal agencies to understand if any have been compromised. He said he could not give a definitive answer yet on if some were breached.

"Different from the Microsoft Exchange vulnerability, there’s a relatively smaller universe -- still quite large -- of companies that are utilizing things like SolarWinds Orion network management software," he said.

During the virtual event, Wales also sounded the alarm on the threat posed by ransomware and discussed his agency’s new awareness campaign.

"Ransomware continues to kind of bedevil the cybersecurity community in part because these ransomware operators are looking broadly," he said. "When we’re facing up against nation state adversaries, they’ve got a purpose behind what they’re doing. They’re looking for information.… But for ransomware operators, they’re looking at anyone."

The CISA director also noted -- as private-sector companies have outlined in reports -- the spike in remote work and digital activities as a result of the coronavirus pandemic brought with it a spike in ransomware attacks in 2020.

"If the business model remains viable, if criminal actors can continue to profit from ransomware, we are unlikely to see a significant reduction in the activity from these ransomware operators," Wales said.