US Slaps Russia With Sanctions Plus For SolarWinds Hack

UPDATED: Adds information on CISA-CNMF malware analysis, NSA-CISA-FBI joint advisory, and comments from James Lewis and Herbert Lin. 

WASHINGTON: The US government today formally attributed the SolarWinds cyberespionage campaign to the Russian Foreign Intelligence Service (SVR). The Intelligence Community has “high confidence” in this assessment, the White House statement says, and President Biden signed an Executive Order imposing economic sanctions and other actions on Russia.

The EO comes on the same day CISA and the DoD Cyber National Mission Force (CNMF) released analysis of SolarWinds-related malware.

Additionally, the NSA, CISA, and FBI today issued a joint advisory warning of ongoing SVR exploitation of five known vulnerabilities in commonly used products. These include Fortinet FortiGate VPN, Synacor Zimbra Collaboration Suite, Pulse Secure Pulse Connect Secure VPN, Citrix Application Delivery Controller and Gateway, and VMware Workspace ONE Access.

Today’s White House EO:

• Prohibits U.S. financial institutions from participating in the primary market for ruble and non-ruble denominated bonds issued after June 14, as well as lending ruble or non-ruble denominated funds through certain Russian financial institutions.
• Designates six Russian Federation technology companies that support SVR’s cyber operations.
• Sanctions 32 entities and individuals carrying out Russian government-directed attempts to influence the 2020 U.S. presidential election, and other acts of disinformation and interference.
• Expels 10 Russian diplomatic personnel, some of whom have been identified as Russian intelligence services, from the Russian diplomatic mission in Washington, DC.

The US is also taking other actions through “diplomatic, military, and intelligence channels” based on the Intelligence Community’s assessment that Russia placed bounties on US and coalition personnel in Afghanistan.

“This E.O. sends a signal that the United States will impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions,” the White House said in a prepared statement.

The EO also includes steps to strengthen US and allies’ cyber defense. The US is reinforcing its support for a framework for cyberspace norms. This includes “providing a first-of-its kind course for policymakers worldwide on the policy and technical aspects of publicly attributing cyber incidents, which will be inaugurated this year at the George C. Marshall Center in Garmisch, Germany. We are also bolstering our efforts through the Marshall Center to provide training to foreign ministry lawyers and policymakers on the applicability of international law to state behavior in cyberspace and the non-binding peacetime norms that were negotiated in the United Nations and endorsed by the UN General Assembly.”

In addition, the Pentagon is expanding cyber cooperation with allies to include the UK, France, Denmark, and Estonia. This will entail their participation in CYBER FLAG 21-1, an exercise designed to improve defensive capabilities and resiliency in cyberspace. “CYBER FLAG 21-1 will build a community of defensive cyber operators and improve overall capability of the United States and allies to identify, synchronize, and respond in unison against simulated malicious cyberspace activities targeting our critical infrastructure and key resources,” the White House says.

“It’s the first part of two US actions — the second EO looks at supply chain security, so both pieces are a good start,” James Lewis, senior vice president and top cyber expert at the Center for Strategic & International Studies, told Breaking Defense. “Let’s see how the Russians react. They tend to shrug off sanctions.”

Herbert Lin, senior research scholar and Hank Holland Fellow at Stanford University, told Breaking Defense, “We don’t know what’s being done in secret, but publicly anyway, I predicted this outcome [that is, only economic and diplomatic sanctions] in January. The diplomatic and economic steps taken may indeed be painful to the Russians. But will it make them more reticent about conducting such operations in the future? Just more determined to conduct them and do it more secretly with less chance of being discovered? Or less likely to cooperate on things like keeping their forces out of Ukraine? That is, can we separate cyber from other things that they do that we don’t like?”

“We live in interesting times,” Lin added.

The SolarWinds cyber campaign is named after Texas-based IT company SolarWinds Inc., whose software was originally compromised in March 2020 before being deployed to thousands of customers, in turn compromising them. The campaign came to public light in December 2020, when security company FireEye disclosed it had been breached as a stage two victim.

The cyberespionage campaign has been characterized as one of the largest known against the U.S. government and companies to date. At least nine federal agencies and 100 companies have said they were stage two victims. No fewer than 16,000 entities were affected.

The formal attribution and a response have been expected for months.

In a Feb. 23 Senate Intelligence Committee hearing, FireEye CEO Kevin Mandia and Microsoft President Brad Smith, also a stage two victim, were firm in their convictions that Russian intelligence was behind the hack, based on forensic evidence gathered as well as years of experience investigating breaches.

This was a campaign that required governmental resources and scale. Smith said Microsoft’s security team estimated “at least 1,000 engineers” were involved. Mandia noted that the significant time devoted to this campaign, the cyberespionage motive, and the stage one hack’s “unique” attack vector — modifying the software build process rather than the source code — indicated a highly skilled and well-resourced threat actor.