US officials Thursday formally blamed Russia for supporting one of the worst spy hacks in recent US history and imposed sanctions designed to impose penalties for those and other recent actions.
In a joint advisory, the National Security Agency, FBI and Cybersecurity and Information Security Agency said Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply chain attack on customers of the network management software based in Austin, Texas. solar winds.
The operation infected SolarWinds’ software building and distribution system, using it to push backdoor updates to approximately 18,000 customers. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations. In addition to attacking SolarWinds’ supply chain, the hackers also used password guessing and other techniques to breach networks.
After the massive operation came to light, Microsoft president Brad Smith called it an “act of recklessness.” Speaking to reporters on Thursday, NSA Director of Cybersecurity Rob Joyce reiterated the assessment that the operation went beyond established standards for government espionage.
“We’ve definitely observed espionage,” Joyce said. “But what’s worrying is that from that platform, because of the wide scale of access availability that they’ve achieved, there’s the opportunity to do other things, and that’s something that we can’t tolerate and that’s why the US government charges and pushes them back on these activities.”
Thursday’s joint advisory said the SVR-backed hackers are behind other recent campaigns targeting COVID-19 research facilities, both by infecting them with malware known as WellMess and WellMail, and by exploiting a critical vulnerability in VMware software.
The advisory went on to say that Russian intelligence is continuing its campaign, in part by targeting networks that have yet to patch one of the next five critical vulnerabilities. Including the VMware error they are:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Mitigating these vulnerabilities is critical as US and allied networks are continuously scanned, targeted and exploited by Russian state-sponsored cyber actors. It went on to say that the “NSA, CISA and FBI strongly encourage all cybersecurity stakeholders to monitor their networks for indicators of compromise regarding all five vulnerabilities and the techniques outlined in the advisory, and to work with urgently implement the corresponding solutions.”
A representative from VPN provider Pulse noted that patches for CVE-2019-11510 were released in April 2019. “Customers who followed the instructions in a Pulse Secure security advisory released at the time have protected their systems well and mitigated the threat.” FortiNet has also pointed out in recent weeks that it patched CVE-2018-13379 in May 2019. The makers of the other affected hardware and software have also released fixes.
The US Treasury Department, meanwhile, has imposed sanctions in retaliation for what it said were “aggressive and harmful activities by the government of the Russian Federation”. The measures include new bans on Russian sovereign debt and sanctions against six Russia-based companies that, according to the Treasury Department, “support Russian intelligence’s efforts to conduct malicious cyber activities against the United States.”
The companies are:
- ERA Technopolis, a research center operated by the Russian Ministry of Defense for transferring the personnel and expertise of the Russian technology sector to the development of technologies used by the country’s military. ERA Technopolis supports Russia’s Main Intelligence Directorate (GRU), an agency responsible for offensive cyber and information operations.
- Pasit, a Russia-based information technology company that has conducted research and development in support of malicious cyber operations by the SVR.
- SVA, a Russian state research institute specializing in advanced information security systems in that country. SVA has conducted research and development in support of the SVR’s malicious cyber operations.
- Neobit, a Saint Petersburg, Russia-based IT security company, whose customers are the Russian Ministry of Defense, SVR and the Russian Federal Security Service. Neobit conducted research and development in support of the cyber operations of the FSB, GRU and SVR.
- AST, a Russian IT security company whose customers are the Russian Ministry of Defense, SVR and FSB. AST provided technical support to cyber operations conducted by the FSB, GRU and SVR.
- Positive Technologies, a Russian IT security company that supports customers of the Russian government, including the FSB. Positive Technologies provides computer network security solutions to Russian companies, foreign governments and international companies and organizes recruitment events for the FSB and GRU.
“The reason they were called up is because they are an integral part and participant of the operation that the SVR runs,” Joyce said of the six companies. “Our hope is that by denying the SVR the support of those companies, we will have an impact on their ability to project some of this malicious activity around the world and especially in the US.”
Russian government officials have steadfastly denied any involvement in the SolarWinds campaign.
In addition to attributing the SolarWinds campaign to the Russian government, Thursday’s release from the finance ministry also said the SVR was behind the August 2020 poisoning of Russian opposition leader Aleksey Navalny with a chemical weapon, attacking Russian journalists. and others openly criticizing the Kremlin, and the theft of “red team tools,” which use exploits and other attack tools to mimic cyber-attacks.
The reference to “red team tools” likely had to do with the offensive tools of FireEye, the security firm that first identified the Solar Winds campaign after it discovered its network had been breached. The Treasury Department went on to say that the Russian government is “cultivating and co-opting criminal hackers” to target US organizations. One group, known as Evil Corp., was sanctioned in 2019. That same year, federal prosecutors indicted Evil Corp pivot Maksim V. Yakubets and offered a $5 million bounty for information leading to his arrest or conviction.
Though overshadowed by the sanctions and formal attribution to Russia, the main conclusion of Thursday’s announcements is that the SVR campaign remains ongoing and currently uses the exploits mentioned above. Researchers said on Thursday that they see Internet scans intended to identify servers that have yet to patch the Fortinet vulnerability, which the company fixed in 2019. Scanning for the other vulnerabilities is likely underway as well.
People who manage networks, especially those who have yet to patch one of the five vulnerabilities, should read the latest CISA warning, which provides extensive technical details about the ongoing hacking campaign and ways to detect and mitigate compromises.