The Biden administration has attributed the massive SolarWinds cyberattack to Russian intelligence, pointing the finger specifically at the Foreign Intelligence Service of the Russian Federation (also known as the SVR), as the United States leveled new sanctions against Russia in response to a host of malign activities it said were carried out by the Kremlin.
“Today, we announced actions to hold the Russian Government to account for the SolarWinds intrusion, reports of bounties on U.S. soldiers in Afghanistan, and attempts to interfere in the 2020 U.S. elections,” Secretary of State Antony Blinken said, adding that “the U.S. Department of the Treasury is announcing sanctions against entities and individuals involved in election interference and against companies that support the malign activities of the Russian intelligence services responsible for the SolarWinds intrusion and other recent cyber incidents.”
A fact sheet released by the White House said that the U.S. was “formally naming” the SVR (also known as Advanced Persistent Threat (APT) 29, Cozy Bear, and the Dukes) “as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures” and that the intelligence community “has high confidence in its assessment of attribution to the SVR.” The SVR, Russia’s external intelligence agency, is a successor to the First Main Directorate, which was a part of the KGB before the fall of the Soviet Union. The SVR is often considered a civilian spy agency, though it coordinates with Russian military intelligence too.
Former Secretary of State Mike Pompeo and former Attorney General William Barr both said in December they believed the cyber campaign was likely carried out by Russia. The Justice Department recently took action related to a separate massive hack of the Microsoft Exchange Server, which Microsoft says was conducted by Chinese state-based hackers, though the U.S. government has not attributed those cyber operations to China.
The White House said Thursday that the SVR’s compromise of the SolarWinds software supply chain was a “national security and public safety concern” and that the hack gave the SVR “the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide.” The White House added that “those efforts should serve as a warning about the risks of using information and communications technology and services supplied by companies that operate or store user data in Russia.”
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said in February that at least nine federal agencies had been compromised, noting “the scale of potential access far exceeded the number of known compromises.” It is believed that the Justice Department, the State Department, the Treasury Department, the Energy Department, the Commerce Department, the National Institutes of Health, and the federal court system were all affected.
The Treasury Department said Thursday that the SVR’s SolarWinds intrusion “compromised thousands of U.S. government and private sector networks,” that victims of this hack “include the financial sector, critical infrastructure, government networks, and many others,” and that the cyberattack “will cost businesses and consumers in the United States and worldwide millions of dollars.”
A decade ago, the Justice Department announced the breakup of a Russian spy ring composed of agents inside the U.S. working for the SVR on “long-term” and “deep-cover” assignments. The Russian espionage effort was dubbed “The Illegals,” and the FBI’s investigation was called “Operation Ghost Stories.” Interestingly, the 2017 intelligence community assessment on Russian election meddling in the 2016 presidential race noted that “the illegals” had “reported to Moscow about the 2008 election.”
The bureau said that “our agents and analysts watched the deep-cover operatives as they established themselves in the U.S. (some by using stolen identities) and went about leading seemingly normal lives — getting married, buying homes, raising children, and assimilating into American society.” The arrested spies were sent back to Russia in exchange for Western agents. This SVR intelligence effort inside the U.S. inspired the hit TV show The Americans.
The SVR is also heavily involved in recruiting assets around the world, and a number of U.S. spies worked with the SVR, including Robert Hanssen, a 27-year veteran of the FBI who was arrested in 2001 after decades of passing classified information to the Russians and spent years coordinating with SVR handlers to provide them with U.S. secrets.
FireEye, a cybersecurity firm that works with government agencies, reported that it discovered a “highly evasive attacker” had infiltrated SolarWinds and also announced in early December it had itself also been hacked. Microsoft President Brad Smith claimed in February that “certainly more than 1,000” engineers had worked on the SolarWinds hack.
The Treasury Department said the SVR stole “red team tools from a U.S. cybersecurity company” (likely referring to FireEye) and warned that “these tools, if made public or used offensively by the SVR or other actors, would create additional opportunities for malign actors to target computer systems worldwide.”
The new statement also noted that the U.S. believes the Federal Security Service (known as the FSB) was involved in the August 2020 poisoning of Russian dissident Alexei Navalny, and that the Main Intelligence Directorate, the GRU, assisted with the poisoning of Sergei Skripal in the United Kingdom in March 2018.
The Treasury Department designated six Russian companies “operating in the technology sector of the Russian Federation economy that support Russian Intelligence Service.” The U.S. said the companies provide support to the Russian intelligence cyber program.
The department sanctioned Pasit, a Russia-based information technology company, and the Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation, which “conducted research and development in support” of the SVR’s cyber operations, as well as Neobit and Advanced System Technology, which assisted the SVR, the FSB, and the GRU. Sanctions were also leveled against ERA Technopolis, a research center operated by the Russian Ministry of Defense, and Positive Technologies, a Russian IT security firm that “supports Russian Government clients” and “hosts large-scale conventions that are used as recruiting events for the FSB and GRU.”
The Treasury Department also said the SVR, the FSB, and the GRU “play critical roles in propagating Russian disinformation online” and “operate a network of websites that obscure their Russian origin to appeal to Western audiences.” The FSB and the GRU were first designated for this in 2016, and the SVR now joins them. The department said the Strategic Culture Foundation, an online Russian journal, is directed by the SVR and “created false and unsubstantiated narratives concerning U.S. officials involved in the 2020 U.S. presidential election.”
The FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency also weighed in, jointly releasing an advisory to to “highlight additional tactics, techniques, and procedures being used by SVR.”
Russian SVR activities include “compromising SolarWinds Orion software updates” and “targeting COVID-19 research facilities through deploying WellMess malware,” according to the trio of agencies, who said the SVR “has exploited — and continues to successfully exploit — software vulnerabilities to gain initial footholds into victim devices and networks.” The agencies assessed the U.S. government, critical infrastructure, and allied networks “are consistently scanned, targeted, and exploited by Russian state-sponsored cyber actors” and said SVR tactics included “exploiting public-facing applications, leveraging external remote services, compromising supply chains, using valid accounts, exploiting software for credential access, and forging web credentials.”
The SolarWinds hack hearkens back to Russia’s large-scale hacking of the State Department in 2014. Actors affiliated with Russian military intelligence were also named by the U.S. as being responsible for the hacking of the Democratic National Committee’s email systems in 2016.
