Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/15/2021
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency

Treasury Department slaps sanctions on IT security firms that it says supported Russia's Foreign Intelligence Service carry out the attacks.

The Biden administration Thursday officially blamed Russia's Foreign Intelligence Service, SVR, for the cyberattack on SolarWinds and announced sanctions against a handful of IT security firms for helping enable that attack and other malicious cyber activities over the years.

Among the vendors put on the US Treasury Department sanctions list were Positive Technologies and some other relatively lesser-known IT security firms in the US, including Neobit, Advanced System Technology, and Pasit.

Related Content:

How to Avoid Falling Victim to a SolarWinds-Style Attack

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

In a related announcement, the National Security Agency (NSA), FBI, and the Department of Homeland Security's Cyber Security & Infrastructure Security Agency (CISA) today issued a joint advisory warning of the SVR actively targeting widely deployed network and communication technologies on US networks from companies such as Fortinet, Pulse Secure, Citrix, and VMware.

The actions mark the first time the US government has formally named a Russian intelligence agency as the perpetrator of the SolarWinds attack and subsequent intrusions into other networks, including those belonging to government agencies, private firms, and security companies such as FireEye and Mimecast. The attacks have caused considerable concern about large-scale data theft, cyber espionage, and threat actors with persistent presence hidden deep on US networks. Previously, US intelligence and law enforcement agencies had described the attacks as being "most likely Russian in origin" but had stopped short of attributing it to any specific entity.

Kevin Mandia, CEO of FireEye, describes the sanctions as likely making things harder for Russian operators. "Unfortunately, we are unlikely to fully deter cyber espionage, and we will have to take serious action to better defend ourselves from inevitable future intrusions," he says in an emailed comment responding to this morning's announcement.

The sanctions that the Treasury Department announced today identified the SVR as one of three Russian intelligence services responsible for carrying out "some of the most dangerous and disruptive cyberattacks in recent history, including the SolarWinds attack."

The other two Russian intelligence services — the Federal Security Service (FSB) and Russia's Main Intelligence Directorate (GRU) —already have been hit with three previous sanctions actions. Two of them, in 2016 and 2018, were related to malicious cyber activity, including ransomware campaigns, deployment of NotPetya and Olympic Destroyer malware, attacks on the World Anti-Doping Agency, and numerous government and critical infrastructure systems in multiple countries. In March 2021, the GRU and FSB were sanctioned again, but this time in connection with activities related to proliferation of nuclear weapons and weapons of mass destruction.

The Treasury Department sanctions were imposed under a new executive order that President Biden signed Thursday. Biden's executive order is in response to what the White House described as ongoing efforts by the Russian government to undermine US democratic processes and engaging in a wide range of malicious cyber activities. It authorizes the Treasury Department to deploy "strategic and economically impactful" sanctions on the SVR and entities that are thought to be materially helping Russian intelligence services carry out their missions.

Impact of Sanctions
The sanctions prohibit US financial firms from participating in Russian markets. They also freeze all US-based property and interests in property belonging to the entities on the Treasury Department sanctions list. All US-based assets that are more than 50% owned by entities on the new sanctions list have also been frozen.

The sanctions are likely going to create some uncertainty and disruption for US organizations currently using technologies from entities on the new sanctions list. "As nation-state tension spills over into the private sector, there may be organizations caught flat-footed by the reality that they are participating with or without their consent in a broader narrative of competing national interests," says Tim Wade, technical director and CTO at Vectra.

In the immediate term, affected organizations are likely going to have to source new technologies and capabilities, he says. "In the longer term, supplier security itself as a discipline will need to expand its purview of risk to include the collateral damages inflicted by rising national tensions in the cyber domain," Wade says.

Meanwhile, in a statement Friday, Positive Technologies said the Treasury Department's accusations against it are  "groundless" and backed by no  evidence of any wrongdoing on its part. The security vendor--which provides a range of penetration testing, security assessment, and other services--described itself as a well-regarded company that has always operated within industry norms and standards. "We truly think that geopolitics should not be a barrier to the technological development of society and we will continue to do what we do best—to protect and ensure cybersecurity around the world," the company said.

The US government's action Thursday finally has attached a name to the shadowy entity behind the SolarWinds attack, which numerous security experts have described as one of the most sophisticated malicious cyber operations ever. However, because of how notoriously hard attack attribution can be, some questions are bound to remain about the data that led US intelligence to SVR.

"The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber-espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups," Paul Prudhomme, cyber threat analyst at IntSights, said in a statement."It nonetheless remains unclear what specific data points enabled the attribution."

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, says the fact that the US government is holding Russia accountable should come as no surprise, but more information is needed around the attribution. "The more we learn about the attribution, the more concrete accountability and action can be taken," he says.

Meanwhile, today's joint advisory from the FBI, NSA, and CISA warned organizations to be on the alert for targeting a set of five specific vulnerabilities in products from five vendors. According to them, attackers are actively targeting CVE-2018-13379 in Fortinet's Fortigate VP; CVE-2019-11510, impacting Pulse Secure Pulse Connect Secure VPN; CVE-2019-19781 in Citrix Application Delivery Controller and Gateway; CVE-2020-4006 in VMware Workspace ONE Access; and CVE-2019-9670 in Synacor Zimbra Collaboration Suite.

Pulse Secure said it issued a fix in April 2019 for the vulnerability (CVE-2019-11510) identified in the joint advisory. "The NSA has identified an old issue that was patched on legacy Pulse Secure deployments in April 2019," a spokeswoman said in an emailed statement. "Customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.