WASHINGTON: The White House appeared to signal victory over the the SolarWinds and Microsoft Exchange server cyber hacks today, announcing that two working groups formed to respond to them are winding down. The White House says the move is justified amid “vastly increased patching” of security vulnerabilities.

“We are standing down the current [Unified Coordination Groups] surge efforts and will be handling further responses through standard incident management procedures,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said in a prepared statement.

The announcement comes days after the White House formally attributed the SolarWinds cyber campaign to the Russian Foreign Intelligence Service (SVR) and issued an Executive Order imposing economic sanctions, diplomatic expulsions, and other punitive measures.

The statement also follows the Justice Department’s announcement last week of a secret FBI cyber operation to remove malicious web shells installed on privately owned and operated Exchange email servers within the US. The web shells enable attackers to gain remote administrative control of on-premise servers. The web shells were installed as part of a broader cyber campaign. Microsoft and others have said China initiated the campaign.

The two UCGs were formed to “drive a whole of government response” as foreign countries were actively hacking US entities, Neuberger said. The UCGs integrated private partners into the government response at the executive and tactical levels, she said, adding, “This type of partnership sets precedent for future engagements on significant cyber incidents.”

The statement credits the Cybersecurity and Infrastructure Security Agency with creating a method for tracking patched versus vulnerable Exchange email servers that allowed the Exchange UCG to understand the scope of the campaign.

The statement also credits the FBI and DoJ with “quickly” identifying the scale of the SolarWinds campaign “through industry partnerships and legal authorities.” This allowed “focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities,” Neuberger said, referencing the fact that only a small number of the tens of thousands of second stage victims were actively targeted in second stage hacks. Experts have suggested the threat actor did this to prioritize information gathering and minimize the likelihood of detection.

Finally, Neuberger credited NSA and CISA for teaming up to produce a series of advisories on attacker techniques and effective countermeasures to both campaigns.

“The innovations… and the lessons learned from these responses will be used to improve future unified, whole of government responses to significant cyber incidents,” Neuberger said.