The U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with “high confidence” to government operatives working for Russia’s Foreign Intelligence Service (SVR).
“Russia’s pattern of malign behaviour around the world – whether in cyberspace, in election interference or in the aggressive operations of their intelligence services – demonstrates that Russia remains the most acute threat to the U.K.’s national and collective security,” the U.K. government said in a statement.
To that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for “undermining the conduct of free and fair elections and democratic institutions” in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.
The companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia’s Federal Security Service (FSB).
In addition, the Biden administration is also expelling ten members of Russia’s diplomatic mission in Washington, D.C., including representatives of its intelligence services.
“The scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyber operations makes it a national security concern,” the Treasury Department said. “The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers.”
For its part, Moscow had previously denied involvement in the broad-scope SolarWinds campaign, stating “it does not conduct offensive operations in the cyber domain.”
The intrusions came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.
Up to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.
The adversary’s compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the executive order issued by the U.S. government.
Besides infiltrating the networks of Microsoft, FireEye, Malwarebytes, and Mimecast, the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.
The SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).
Furthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an advisory, warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks —
- CVE-2018-13379 – Fortinet FortiGate VPN
- CVE-2019-9670 – Synacor Zimbra Collaboration Suite
- CVE-2019-11510 – Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 – Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 – VMware Workspace ONE Access
In a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on legacy deployments in April 2019, and that “customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.”
“We see what Russia is doing to undermine our democracies,” said U.K. Foreign Secretary Dominic Raab. “The U.K. and U.S. are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.”