The U.S. Dept of Treasury has imposed sweeping sanctions against Russia for “undermining the conduct of free and fair elections and democratic institutions”
It is the ultimate cyber espionage tale for the modern day: the biggest modern-day cyber security incident having potentially been the doing of a foreign power. And yet, for its Bond-esque connotations, the truth is that some level of foreign involvement was most likely in the Solarwinds attack that took place late last year.
The United States and United Kingdom last week formally attributed the supply chain attack of IT infrastructure management company SolarWinds with “high confidence” to government operatives working for Russia’s Foreign Intelligence Service (SVR).
The U.K. government said in a statement that
Russia’s pattern of malign behaviour around the world – whether in cyberspace, in election interference or in the aggressive operations of their intelligence services – demonstrates that Russia remains the most acute threat to the U.K.’s national and collective security
The U.S. Department of the Treasury has imposed sweeping sanctions against Russia for “undermining the conduct of free and fair elections and democratic institutions” in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring 6 technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.
The companies include:
- ERA Technopolis
- Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA)
- Advanced System Technology
- Pozitiv Teknolodzhiz (Positive Technologies).
The last three of these are IT security firms whose customers are said to include important Russian ministries including the Russian Ministry of Defense, SVR and the Federal Security Service (FSB).
In addition, the Biden administration is also expelling ten members of Russia’s diplomatic mission in Washington, D.C., including representatives of its intelligence services.
“The scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyber operations makes it a national security concern,” the Treasury Department said. “The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers.”
For its part, Moscow previously denied involvement in the SolarWinds campaign, stating “it does not conduct offensive operations in the cyber domain.”
The intrusions came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.
Up to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.
The threat actors’ compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the executive order issued by the U.S. government.
Besides infiltrating the networks of Microsoft, FireEye, Malwarebytes, and Mimecast, attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.
U.K. Foreign Secretary Dominic Raab said:
We see what Russia is doing to undermine our democracies. The U.K. and U.S. are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.