The SolarWinds supply-chain attack, which gave hackers access to up to 18,000 government bodies and Fortune 500 corporations and exposed at least nine federal agencies and more than 100 companies, is being officially blamed on the Russian government by the United States government.
The cyber espionage activities using the SolarWinds Orion platform were attributed by the White House to the sophisticated hacker collective Cozy Bear.
The White House officially blames the SVR for conducting “the broad-scope cyber-espionage campaign” through its hacking unit, which is also known as APT29, The Dukes, or Cozy Bear. The press release confirms what media reports previously claimed: that the Russian Foreign Intelligence Service was behind the SolarWinds hack.
The Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, is today officially identified by the United States as the instigator of the extensive cyber espionage operation that targeted the SolarWinds Orion platform and other information technology infrastructures. In its evaluation of attribution to the SVR, the U.S. Intelligence Community has a high degree of confidence.
The SVR had access to more than 16,000 computers worldwide, but they only chose to target a small number of them, including state and federal organizations in the United States as well as cybersecurity-related businesses (FireEye, Malwarebytes, and Mimecast).
The extent of this compromise poses a threat to both public safety and national security. Furthermore, it unfairly burdens the victims, who are primarily from the private sector, and must pay the abnormally high cost of mitigating this disaster.
In an effort to ensure that organizations are taking the necessary steps to identify and defend against malicious activity carried out by the SVR, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) are issuing warnings about the top five vulnerabilities the SVR is exploiting in attacks against the U.S. interests.
In response, the Treasury Department imposed a number of sanctions against a few Russian technology companies for their involvement in the SolarWinds incident. President Biden today issued an executive order related to blocking property in regard to harmful activities from the government of the Russian Federation.
The Office of Foreign Assets Control will require a special license before allowing US businesses and financial institutions to conduct business with companies that have been sanctioned.
The Russian Ministry of Defense funds and manages ERA Technopolis, a research facility and technological park that houses and supports the Main Intelligence Directorate of Russia, which is in charge of offensive cyber and information operations.
Known for conducting research and development in support of the harmful cyber operations of Russia’s Foreign Intelligence Service, Past is a Russian IT business.
SVA is a Russian state-owned research facility with a focus on cutting-edge information security solutions.
Nesbit is an IT security company with offices in Russia. Its clientele includes the Russian Ministry of Defense, SVR, and the Federal Security Service of Russia (FSB).
AST is a Russian IT security company that supports the FSB, GRU, and SVR’s cyber operations with technical assistance. Other clients include the Russian Ministry of Defense, SVR, and FSB.
In addition to offering computer network security solutions to Russian businesses, foreign governments, and international organizations, Positive Technologies, a Russian IT security company that supports Russian Government clients, including the FSB, also organizes sizable conventions that serve as FSB and GRU recruitment fairs.
Without first requesting and receiving a license from the Office of Foreign Assets Control, US firms and financial institutions are no longer permitted to conduct business with the aforementioned companies (OFAC).