Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
04:25 PM
Connect Directly

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency

Treasury Department slaps sanctions on IT security firms that it says supported Russia's Foreign Intelligence Service carry out the attacks.

The Biden administration Thursday officially blamed Russia's Foreign Intelligence Service, SVR, for the cyberattack on SolarWinds and announced sanctions against a handful of IT security firms for helping enable that attack and other malicious cyber activities over the years.

Among the vendors put on the US Treasury Department sanctions list were Positive Technologies and some other relatively lesser-known IT security firms in the US, including Neobit, Advanced System Technology, and Pasit.

Related Content:

How to Avoid Falling Victim to a SolarWinds-Style Attack

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

In a related announcement, the National Security Agency (NSA), FBI, and the Department of Homeland Security's Cyber Security & Infrastructure Security Agency (CISA) today issued a joint advisory warning of the SVR actively targeting widely deployed network and communication technologies on US networks from companies such as Fortinet, Pulse Secure, Citrix, and VMware.

The actions mark the first time the US government has formally named a Russian intelligence agency as the perpetrator of the SolarWinds attack and subsequent intrusions into other networks, including those belonging to government agencies, private firms, and security companies such as FireEye and Mimecast. The attacks have caused considerable concern about large-scale data theft, cyber espionage, and threat actors with persistent presence hidden deep on US networks. Previously, US intelligence and law enforcement agencies had described the attacks as being "most likely Russian in origin" but had stopped short of attributing it to any specific entity.

Kevin Mandia, CEO of FireEye, describes the sanctions as likely making things harder for Russian operators. "Unfortunately, we are unlikely to fully deter cyber espionage, and we will have to take serious action to better defend ourselves from inevitable future intrusions," he says in an emailed comment responding to this morning's announcement.

The sanctions that the Treasury Department announced today identified the SVR as one of three Russian intelligence services responsible for carrying out "some of the most dangerous and disruptive cyberattacks in recent history, including the SolarWinds attack."

The other two Russian intelligence services — the Federal Security Service (FSB) and Russia's Main Intelligence Directorate (GRU) —already have been hit with three previous sanctions actions. Two of them, in 2016 and 2018, were related to malicious cyber activity, including ransomware campaigns, deployment of NotPetya and Olympic Destroyer malware, attacks on the World Anti-Doping Agency, and numerous government and critical infrastructure systems in multiple countries. In March 2021, the GRU and FSB were sanctioned again, but this time in connection with activities related to proliferation of nuclear weapons and weapons of mass destruction.

The Treasury Department sanctions were imposed under a new executive order that President Biden signed Thursday. Biden's executive order is in response to what the White House described as ongoing efforts by the Russian government to undermine US democratic processes and engaging in a wide range of malicious cyber activities. It authorizes the Treasury Department to deploy "strategic and economically impactful" sanctions on the SVR and entities that are thought to be materially helping Russian intelligence services carry out their missions.

Impact of Sanctions
The sanctions prohibit US financial firms from participating in Russian markets. They also freeze all US-based property and interests in property belonging to the entities on the Treasury Department sanctions list. All US-based assets that are more than 50% owned by entities on the new sanctions list have also been frozen.

The sanctions are likely going to create some uncertainty and disruption for US organizations currently using technologies from entities on the new sanctions list. "As nation-state tension spills over into the private sector, there may be organizations caught flat-footed by the reality that they are participating with or without their consent in a broader narrative of competing national interests," says Tim Wade, technical director and CTO at Vectra.

In the immediate term, affected organizations are likely going to have to source new technologies and capabilities, he says. "In the longer term, supplier security itself as a discipline will need to expand its purview of risk to include the collateral damages inflicted by rising national tensions in the cyber domain," Wade says.

Meanwhile, in a statement Friday, Positive Technologies said the Treasury Department's accusations against it are  "groundless" and backed by no  evidence of any wrongdoing on its part. The security vendor--which provides a range of penetration testing, security assessment, and other services--described itself as a well-regarded company that has always operated within industry norms and standards. "We truly think that geopolitics should not be a barrier to the technological development of society and we will continue to do what we do best—to protect and ensure cybersecurity around the world," the company said.

The US government's action Thursday finally has attached a name to the shadowy entity behind the SolarWinds attack, which numerous security experts have described as one of the most sophisticated malicious cyber operations ever. However, because of how notoriously hard attack attribution can be, some questions are bound to remain about the data that led US intelligence to SVR.

"The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber-espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups," Paul Prudhomme, cyber threat analyst at IntSights, said in a statement."It nonetheless remains unclear what specific data points enabled the attribution."

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, says the fact that the US government is holding Russia accountable should come as no surprise, but more information is needed around the attribution. "The more we learn about the attribution, the more concrete accountability and action can be taken," he says.

Meanwhile, today's joint advisory from the FBI, NSA, and CISA warned organizations to be on the alert for targeting a set of five specific vulnerabilities in products from five vendors. According to them, attackers are actively targeting CVE-2018-13379 in Fortinet's Fortigate VP; CVE-2019-11510, impacting Pulse Secure Pulse Connect Secure VPN; CVE-2019-19781 in Citrix Application Delivery Controller and Gateway; CVE-2020-4006 in VMware Workspace ONE Access; and CVE-2019-9670 in Synacor Zimbra Collaboration Suite.

Pulse Secure said it issued a fix in April 2019 for the vulnerability (CVE-2019-11510) identified in the joint advisory. "The NSA has identified an old issue that was patched on legacy Pulse Secure deployments in April 2019," a spokeswoman said in an emailed statement. "Customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file