The Biden administration on Thursday publicly attributed a cyber espionage campaign to the Russian Foreign Intelligence Service (SVR) that was first disclosed last December by a U.S. cybersecurity firm and the administration also announced sanctions against six companies in Russia's technology sector.
The attribution to the SVR, which is also known as APT 29, Cozy Bear, and The Dukes, is the first time the U.S. government has been specific about identifying the Russian government, and specifically the SVR, as the perpetrators of what is commonly called the SolarWinds attack. In early January, the U.S. intelligence community said the hack was "likely Russian in origin" and earlier this week it released its annual threat assessment called it "A Russian software supply chain operation."
The administration said the intelligence community "has high confidence" in attributing the attack to the SVR.
In addition to outing the SVR, the administration identified six Russian companies–some private and some state-owned, that the U.S. Treasury Department said provide expertise, tools and infrastructure to the SVR and other Russian intelligence services and help with "facilitating malicious cyber activities."
The White House, in a fact sheet announcing a broader set of sanctions against the Russian government and entities for the SolarWinds hack and much more, warned about doing business with information technology companies and personnel in Russian or that work with Russia.
The SVR's "efforts should serve as a warning about the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia," the fact sheet says.
The six Russian companies designated by the Treasury Department are ERA Technopolis, a research center and technology park operated by the Ministry of Defense, Pasit, AO, an IT company that does research and development in support of the SVR's "malicious cyber operations," the Federal State Autonomous Scientific Establishment Scientific Research Institute Specialize Security Computing Devices and Automation, or SVA, which is a state-owned research organization that does work in information security and also added the SVR's cyber operations, Neobit, OOO, another IT security firm that includes Russia's Defense and intelligence services as its customers and also supports their cyber operations, Advanced Technology, AO, an IT firm that also supports cyber operations, and Positive Technologies, an IT firm that also support the Russian government and helps with recruiting events for the intelligence services.
SolarWinds Inc. [SWI] is based in Texas and provides network management software. The SVR was able to implant malicious code into software updates the company developed that were used in routine patching made available to its customers. The hack was first discovered by the U.S. company FireEye [FEYE] last December, who discovered that its own threat hunting tools had been stolen in the breach, and quickly notified the U.S. government, its customers and the larger public.
Media reports previously have sited cyber security officials blaming the SVR for the hack.
"This is a positive, welcome step towards adding more friction to Russian operations," Kevin Mandia, FireEye's CEO, said in a statement on Thursday. "Simply naming the SVR, as well as the corporations that support it will inform our defense. Unfortunately, we are unlikely to fully deter cyber espionage and we will have to take serious action to better defense ourselves from inevitable future intrusions."
President Joe Biden also issued an executive order outlining a range of sanctions the U.S. is taking, and might take, related to the SolarWinds hack as well as Russian interference in the 2020 U.S. elections, and attempts to destabilize the U.S. and its partners and allies among other nefarious activities. The administration's actions received strong bipartisan support in Congress.
Rep. Michael McCaul (R-Texas), ranking member on the House Foreign Affairs Committee, backed the sanctions but also said more needs to be done "to establish a credible deterrent." He called again for the administration to make further sanctions related to Russia's Nord Stream 2 pipeline project, a subsea natural gas line from Russia to Germany, saying such a move would impose "real costs on the Putin regime's efforts to undermined U.S. democratic institutions and weaken our allies and partners."
Senior administration officials on a background call with media did not discuss a potential cyber deterrence policy or strategy to prevent future cyberattacks and other unacceptable activities by Russia. One official said that in addition to the executive order and sanctions, "unseen" responses are also being taken.
While cyber espionage isn't anything new, the administration has been concerned that the latest compromise also had the potential for disruptive attacks and caused an undue economic burden on the private sector.
The SolarWinds hack ended up compromising nine federal agencies and departments and about 100 private sector entities. The White House said the compromise gave the SVR the ability to ultimately "spy on or potentially disrupt more than 16,000 computer systems worldwide," disruption that could easily be used to rapidly trigger public safety and health consequences.
"And finally, the hack placed an undue burden on the mostly private-sector victims who must bear the unusually high costs of mitigating this incident," one senior official said.
The official also said that the U.S. remains committed to "an open, interoperable, secure, and reliable internet," highlighting that Russia's activity "runs counter to that goal."
In support of a global approach to cybersecurity, the White House announced two actions one being the promotion of a framework for responsible norms in cyberspace and the need for cooperation with allies and partners "to counter malign activities." Toward this end, the administration is "providing a first-of-its-kind course for policymakers worldwide" on attributing cyber incidents, and providing training to "foreign ministry lawyers and policymakers" on applying international law to state behavior in cyberspace," the White House says.
The second step is strengthening the commitment to cooperating on security in cyberspace. The fact sheet says a cybersecurity exercise this year by the Defense Departments will include additional allies, the United Kingdom, France, Denmark and Estonia. These countries will participate in the planning of CYBER FLAG 21-1, which "will build a community of defensive cyber operators and improve overall capability of the United States and allies to identify, synchronize, and response in unison against simulated malicious cyberspace activities targeting our critical infrastructure and key resources," the White House says.