US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Treasury Department slaps sanctions on IT security firms that it says supported Russia’s Foreign Intelligence Service carry out the attacks.
The Biden administration Thursday officially blamed Russia’s Foreign Intelligence Service, SVR, for the cyberattack on SolarWinds and announced sanctions against a handful of IT security firms for helping enable that attack and other malicious cyber activities over the years.
Among the vendors put on the US Treasury Department sanctions list were Positive Technologies and some other relatively lesser-known IT security firms in the US, including Neobit, Advanced System Technology, and Pasit.
In a related announcement, the National Security Agency (NSA), FBI, and the Department of Homeland Security’s Cyber Security & Infrastructure Security Agency (CISA) today issued a joint advisory warning of the SVR actively targeting widely deployed network and communication technologies on US networks from companies such as Fortinet, Pulse Secure, Citrix, and VMware.
The actions mark the first time the US government has formally named a Russian intelligence agency as the perpetrator of the SolarWinds attack and subsequent intrusions into other networks, including those belonging to government agencies, private firms, and security companies such as FireEye and Mimecast. The attacks have caused considerable concern about large-scale data theft, cyber espionage, and threat actors with persistent presence hidden deep on US networks. Previously, US intelligence and law enforcement agencies had described the attacks as being “most likely Russian in origin” but had stopped short of attributing it to any specific entity.
Kevin Mandia, CEO of FireEye, describes the sanctions as likely making things harder for Russian operators. “Unfortunately, we are unlikely to fully deter cyber espionage, and we will have to take serious action to better defend ourselves from inevitable future intrusions,” he says in an emailed comment responding to this morning’s announcement.
The sanctions that the Treasury Department announced today identified the SVR as one of three Russian intelligence services responsible for carrying out “some of the most dangerous and disruptive cyberattacks in recent history, including the SolarWinds attack.”
The other two Russian intelligence services — the Federal Security Service (FSB) and Russia’s Main Intelligence Directorate (GRU) —already have been hit with three previous sanctions actions. Two of them, in 2016 and 2018, were related to malicious cyber activity, including ransomware campaigns, deployment of NotPetya and Olympic Destroyer malware, attacks on the World Anti-Doping Agency, and numerous government and critical infrastructure systems in multiple countries. In March 2021, the GRU and FSB were sanctioned again, but this time in connection with activities related to proliferation of nuclear weapons and weapons of mass destruction.
The Treasury Department sanctions were imposed under a new executive order that President Biden signed Thursday. Biden’s executive order is in response to what the White House described as ongoing efforts by the Russian government to undermine US democratic processes and engaging in a wide range of malicious cyber activities. It authorizes the Treasury Department to deploy “strategic and economically impactful” sanctions on the SVR and entities that are thought to be materially helping Russian intelligence services carry out their missions.
Impact of Sanctions
The sanctions prohibit US financial firms from participating in Russian markets. They also freeze all US-based property and interests in property belonging to the entities on the Treasury Department sanctions list. All US-based assets that are more than 50% owned by entities on the new sanctions list have also been frozen.
The sanctions are likely going to create some uncertainty and disruption for US organizations currently using technologies from entities on the new sanctions list. “As nation-state tension spills over into the private sector, there may be organizations caught flat-footed by the reality that they are participating with or without their consent in a broader narrative of competing national interests,” says Tim Wade, technical director and CTO at Vectra.
In the immediate term, affected organizations are likely going to have to source new technologies and capabilities, he says. “In the longer term, supplier security itself as a discipline will need to expand its purview of risk to include the collateral damages inflicted by rising national tensions in the cyber domain,” Wade says.
Meanwhile, in a statement Friday, Positive Technologies said the Treasury Department’s accusations against it are “groundless” and backed by no evidence of any wrongdoing on its part. The security vendor–which provides a range of penetration testing, security assessment, and other services–described itself as a well-regarded company that has always operated within industry norms and standards. “We truly think that geopolitics should not be a barrier to the technological development of society and we will continue to do what we do best—to protect and ensure cybersecurity around the world,” the company said.
The US government’s action Thursday finally has attached a name to the shadowy entity behind the SolarWinds attack, which numerous security experts have described as one of the most sophisticated malicious cyber operations ever. However, because of how notoriously hard attack attribution can be, some questions are bound to remain about the data that led US intelligence to SVR.
“The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber-espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups,” Paul Prudhomme, cyber threat analyst at IntSights, said in a statement.”It nonetheless remains unclear what specific data points enabled the attribution.”
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, says the fact that the US government is holding Russia accountable should come as no surprise, but more information is needed around the attribution. “The more we learn about the attribution, the more concrete accountability and action can be taken,” he says.
Meanwhile, today’s joint advisory from the FBI, NSA, and CISA warned organizations to be on the alert for targeting a set of five specific vulnerabilities in products from five vendors. According to them, attackers are actively targeting CVE-2018-13379 in Fortinet’s Fortigate VP; CVE-2019-11510, impacting Pulse Secure Pulse Connect Secure VPN; CVE-2019-19781 in Citrix Application Delivery Controller and Gateway; CVE-2020-4006 in VMware Workspace ONE Access; and CVE-2019-9670 in Synacor Zimbra Collaboration Suite.
Pulse Secure said it issued a fix in April 2019 for the vulnerability (CVE-2019-11510) identified in the joint advisory. “The NSA has identified an old issue that was patched on legacy Pulse Secure deployments in April 2019,” a spokeswoman said in an emailed statement. “Customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.”
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio