The US and UK have officially attributed the SolarWinds cyber attack which affected 18,000 organisations globally to Russia’s Foreign Intelligence Service (Sluzhba Vneshney Razvedki, the SVR).
In a joint advisory, the NSA, FBI and Cybersecurity & Infrastructure Security Agency (CISA) said SVR actors – known among security researchers as APT29, Cozy Bear and The Dukes – were responsible for what has been described as one of the worst ever cyber-espionage attacks against the US.
Separately, the UK’s National Cyber Security Centre assessed that it is “highly likely” that Russia was responsible.
The Biden administration also announced a fresh wave of sanctions against Moscow in retaliation for the SolarWinds hack, election interference and allegedly paying bounties for US soldiers killed in Afghanistan. Up to 30 Russian entities were blacklisted and ten Russian diplomats were expelled from the US.
A full list of “Russian companies in the technology sector supporting Russian intelligence services” was issued by the US Treasury. It includes Positive Technologies, a fairly well-known security firm which describes itself as based in Switzerland and headquartered in the UK. The US Treasury says:
“Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU.”
The FSB and GRU are Russia’s other major intelligence agencies alongside the SVR. US citizens and companies can no longer do business with the named companies and organisations.
A Kremlin spokesperson described the sanctions as “illegal” to the Guardian. Russia has previously denied it was behind the cyberattack.
The SolarWinds supply chain attack, which has been dubbed Sunburst, first came to light in December 2020 and saw US government departments including Energy, the Treasury and Commerce affected. Anne Neuberger, deputy national security adviser for cyber, later stated that at least nine federal agencies were known to have been compromised by the attack as of February.
The SVR hackers injected malicious code into updates for SolarWinds’ Orion software, which is used by organisations to monitor their computer networks for outages and problems.
Companies that installed the tainted Orion update unwittingly gave the hackers remote access to their networks, allowing them to steal information and lay the groundwork for future attacks. Neuberger noted that private-sector companies compromised by the SVR included major tech firms – Microsoft, Cisco, Intel and Nvidia have all been named – and that these companies’ widely used products could have been put to further misuse by the SVR, affecting still more victims.
“This is a positive, welcome step towards adding more friction to Russian operations,” said Kevin Mandia, CEO of cybersecurity company FireEye, which was one of the first known victims of the SolarWinds hack. “Simply naming the SVR, as well as the corporations that support it will inform our defence.
“Unfortunately, we are unlikely to fully deter cyber espionage and we will have to take serious action to better defend ourselves from inevitable future intrusions.”
The FBI, CISA and NSA advisory also accused Russia of targeting Covid-19 research facilities “through deploying WellMess malware and leveraging a VMware vulnerability that was a zero-day at the time”.
The security organisations also accused the SVR of exploiting software vulnerabilities in Fortinet, Zimbra, Pulse Secure and Citrix to “gain initial footholds into victim devices and networks”.
They urged organisations to patch their systems if they had not done so already, and to follow their mitigation advice such as blocking obsolete protocols and disable external management capabilities.
Cybersecurity researchers linked the attack to Russian operatives last year and in January the three US security agencies identified a Russian advanced persistent threat (APT) group as the “likely” culprit behind the hack.
Tony Cole, CTO at cybersecutity company Attivo Networks said it was too soon to say what the outcome would be of the sanctions and attribution against Russia.
“Although the actions today are badly needed by the US and its allies to hopefully counter Russian aggression, many past efforts, sanctions, and plans, have had little impact,” he said. “Actions by Russian and Chinese state-based actors or their proxies (and other nations) have been taking place for many years and efforts in the past to counter them have stuttered, stalled, or just completely failed.”
He added that a “close-knit global effort” is required to combat state-sponsored cyberattacks.
This was echoed by Joseph Carson, chief security scientist at Thycotic, who said: “A collaborative approach is the only way to tackle cybercrime where countries work together with transparency, holding those countries who provide safe havens for cyber terrorism accountable with strong actions will be the only way to reduce future cyberattacks.”
It should be noted that nation-state cyberattacks are also carried out by Western or Western-allied countries. Iran’s nuclear facilities were famously crippled by the Stuxnet malware in the noughties, and just a few weeks ago it was revealed that routine security operations by Google’s Project Zero team had shut down an ongoing counter-terrorist cyber attack by a Western intelligence agency.