Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
04:25 PM
Connect Directly

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency

Treasury Department slaps sanctions on IT security firms that it says supported Russia's Foreign Intelligence Service carry out the attacks.

The Biden administration Thursday officially blamed Russia's Foreign Intelligence Service, SVR, for the cyberattack on SolarWinds and announced sanctions against a handful of IT security firms for helping enable that attack and other malicious cyber activities over the years.

Among the vendors put on the US Treasury Department sanctions list were Positive Technologies and some other relatively lesser-known IT security firms in the US, including Neobit, Advanced System Technology, and Pasit.

Related Content:

How to Avoid Falling Victim to a SolarWinds-Style Attack

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

In a related announcement, the National Security Agency (NSA), FBI, and the Department of Homeland Security's Cyber Security & Infrastructure Security Agency (CISA) today issued a joint advisory warning of the SVR actively targeting widely deployed network and communication technologies on US networks from companies such as Fortinet, Pulse Secure, Citrix, and VMware.

The actions mark the first time the US government has formally named a Russian intelligence agency as the perpetrator of the SolarWinds attack and subsequent intrusions into other networks, including those belonging to government agencies, private firms, and security companies such as FireEye and Mimecast. The attacks have caused considerable concern about large-scale data theft, cyber espionage, and threat actors with persistent presence hidden deep on US networks. Previously, US intelligence and law enforcement agencies had described the attacks as being "most likely Russian in origin" but had stopped short of attributing it to any specific entity.

Kevin Mandia, CEO of FireEye, describes the sanctions as likely making things harder for Russian operators. "Unfortunately, we are unlikely to fully deter cyber espionage, and we will have to take serious action to better defend ourselves from inevitable future intrusions," he says in an emailed comment responding to this morning's announcement.

The sanctions that the Treasury Department announced today identified the SVR as one of three Russian intelligence services responsible for carrying out "some of the most dangerous and disruptive cyberattacks in recent history, including the SolarWinds attack."

The other two Russian intelligence services — the Federal Security Service (FSB) and Russia's Main Intelligence Directorate (GRU) —already have been hit with three previous sanctions actions. Two of them, in 2016 and 2018, were related to malicious cyber activity, including ransomware campaigns, deployment of NotPetya and Olympic Destroyer malware, attacks on the World Anti-Doping Agency, and numerous government and critical infrastructure systems in multiple countries. In March 2021, the GRU and FSB were sanctioned again, but this time in connection with activities related to proliferation of nuclear weapons and weapons of mass destruction.

The Treasury Department sanctions were imposed under a new executive order that President Biden signed Thursday. Biden's executive order is in response to what the White House described as ongoing efforts by the Russian government to undermine US democratic processes and engaging in a wide range of malicious cyber activities. It authorizes the Treasury Department to deploy "strategic and economically impactful" sanctions on the SVR and entities that are thought to be materially helping Russian intelligence services carry out their missions.

Impact of Sanctions
The sanctions prohibit US financial firms from participating in Russian markets. They also freeze all US-based property and interests in property belonging to the entities on the Treasury Department sanctions list. All US-based assets that are more than 50% owned by entities on the new sanctions list have also been frozen.

The sanctions are likely going to create some uncertainty and disruption for US organizations currently using technologies from entities on the new sanctions list. "As nation-state tension spills over into the private sector, there may be organizations caught flat-footed by the reality that they are participating with or without their consent in a broader narrative of competing national interests," says Tim Wade, technical director and CTO at Vectra.

In the immediate term, affected organizations are likely going to have to source new technologies and capabilities, he says. "In the longer term, supplier security itself as a discipline will need to expand its purview of risk to include the collateral damages inflicted by rising national tensions in the cyber domain," Wade says.

Meanwhile, in a statement Friday, Positive Technologies said the Treasury Department's accusations against it are  "groundless" and backed by no  evidence of any wrongdoing on its part. The security vendor--which provides a range of penetration testing, security assessment, and other services--described itself as a well-regarded company that has always operated within industry norms and standards. "We truly think that geopolitics should not be a barrier to the technological development of society and we will continue to do what we do best—to protect and ensure cybersecurity around the world," the company said.

The US government's action Thursday finally has attached a name to the shadowy entity behind the SolarWinds attack, which numerous security experts have described as one of the most sophisticated malicious cyber operations ever. However, because of how notoriously hard attack attribution can be, some questions are bound to remain about the data that led US intelligence to SVR.

"The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber-espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups," Paul Prudhomme, cyber threat analyst at IntSights, said in a statement."It nonetheless remains unclear what specific data points enabled the attribution."

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, says the fact that the US government is holding Russia accountable should come as no surprise, but more information is needed around the attribution. "The more we learn about the attribution, the more concrete accountability and action can be taken," he says.

Meanwhile, today's joint advisory from the FBI, NSA, and CISA warned organizations to be on the alert for targeting a set of five specific vulnerabilities in products from five vendors. According to them, attackers are actively targeting CVE-2018-13379 in Fortinet's Fortigate VP; CVE-2019-11510, impacting Pulse Secure Pulse Connect Secure VPN; CVE-2019-19781 in Citrix Application Delivery Controller and Gateway; CVE-2020-4006 in VMware Workspace ONE Access; and CVE-2019-9670 in Synacor Zimbra Collaboration Suite.

Pulse Secure said it issued a fix in April 2019 for the vulnerability (CVE-2019-11510) identified in the joint advisory. "The NSA has identified an old issue that was patched on legacy Pulse Secure deployments in April 2019," a spokeswoman said in an emailed statement. "Customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-08
Lack of verification in B&R APROL Tbase server versions < R 4.2-07 may lead to memory leaks when receiving messages
PUBLISHED: 2023-02-08
Insufficient check of preconditions could lead to Denial of Service conditions when calling commands on the Tbase server of B&R APROL versions < R 4.2-07.
PUBLISHED: 2023-02-08
Insufficient validation of input parameters when changing configuration on Tbase server in B&R APROL versions < R 4.2-07 could result in buffer overflow. This may lead to Denial-of-Service conditions or execution of arbitrary code.
PUBLISHED: 2023-02-08
B&R APROL versions < R 4.2-07 doesn’t process correctly specially formatted data packages sent to port 55502/tcp, which may allow a network based attacker to cause an application Denial-of-Service.
PUBLISHED: 2023-02-08
The Yellow Yard Searchbar WordPress plugin before 2.8.2 does not escape some URL parameters before outputting them back to the user, leading to Reflected Cross-Site Scripting