The United States government is formally accusing the Russian government of the SolarWinds supply-chain attack that gave hackers access to the network of multiple U.S. agencies and private tech sector companies.
In a brief announcing sanctions on Russia for actions against the U.S. interests, the White House is naming the Cozy Bear group of advanced hackers as the author of the cyber espionage activity exploiting the SolarWinds Orion platform.
Loud and clear attribution
The press release from the White House confirms past media reports citing unofficial sources that the Russian Foreign Intelligence Service, the SVR, was behind the SolarWinds hack.
In early January, the Cyber Unified Coordination Group (UCG) attributed the attack to a Russian-backed hacker group, without giving a specific name.
Today, the White House officially blames the SVR for carrying out “the broad-scope cyber espionage campaign” through its hacking division commonly referred to as APT29, The Dukes, or Cozy Bear.
“The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR,” notes the brief from the White House.
By compromising the SolarWinds software supply chain, the SVR had access to more than 16,000 computers across the world. However, the campaign targeted only select targets, such as companies in the cybersecurity sector (FireEye, Malwarebytes, Mimecast) and state and federal agencies in the U.S.
“The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident” - the U.S. White House
In a joint cybersecurity advisory, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) are warning about the top five vulnerabilities the SVR is exploiting in attacks against the U.S. interests.
Organizations should heed the warning and take the necessary steps to identify and defend against malicious activity conducted by the SVR.
Russian companies sanctioned
President Biden has issued an executive order today on blocking property with regards to harmful activities from the government of the Russian Federation.
Using the Executive Order issued today by President Biden, the Treasury Department has issued sanctions against the following Russian technology companies for helping the SVR, Russia's Federal Security Service (FSB), and Russia’s Main Intelligence Directorate (GRU) perform malicious cyber activities against the United States.
ERA Technopolis - A research center and technology park funded and operated by the Russian Ministry of Defense. ERA Technopolis houses and supports units of Russia’s Main Intelligence Directorate (GRU) responsible for offensive cyber and information operations and leverages the personnel and expertise of the Russian technology sector to develop military and dual-use technologies.
Pasit - A Russia-based information technology (IT) company that conducted research and development in support of Russia’s Foreign Intelligence Service’s (SVR) malicious cyber operations.
SVA - A Russian state-owned research institute specializing in advanced systems for information security located in Russia. SVA conducted research and development in support of the SVR’s malicious cyber operations.
Neobit - A Saint Petersburg, Russia-based IT security firm whose clients include the Russian Ministry of Defense, SVR, and Russia’s Federal Security Service (FSB). Neobit conducted research and development in support of the cyber operations conducted by the FSB, GRU, and SVR. Neobit was also designated today under cyber-related E.O. 13694, as amended by E.O. 13757, WMD-related E.O. 13382, and the Countering America’s Adversaries Through Sanctions Act (CAATSA) for providing material support to the GRU.
AST - A Russian IT security firm whose clients include the Russian Ministry of Defense, SVR, and FSB. AST provided technical support to cyber operations conducted by the FSB, GRU, and SVR. AST was also designated today under E.O. 13694, E.O. 13382, and CAATSA for providing support to the FSB.
Positive Technologies - A Russian IT security firm that supports Russian Government clients, including the FSB. Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU. Positive Technologies was also designated today under E.O. 13694, E.O. 13382, and CAATSA for providing support to the FSB.
US companies and financial institutions are no longer able to do business with the above-sanctioned companies without first applying for and receiving a license from the Office of Foreign Assets Control (OFAC).