There is now an officially named culprit behind the SolarWinds supply chain cyberattack that affected thousands of organizations: Russia.
In a statement from The White House, the Biden Administration clearly puts Russia at fault for the attack and announces new sanctions which seek to impose costs on the country for actions by its government and intelligence services against U.S. sovereignty and interests.
And the administration also names Russia as the bad actor behind other documented IT and cybersecurity tool attacks.
Official attribution of the SolarWinds supply chain attack
Let's start with the attribution details. Here is exactly what the White House said as it called out Russia as the nation-state behind the SolarWinds cyberattack:
"Today the United States is formally naming the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures. The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR.
The SVR's compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide. The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident."
The statement continues on to mention how the attribution of SVR's work goes well beyond the scope of the SolarWinds attack.
"Today, the National Security Agency, the Cybersecurity & Infrastructure Security Agency, and the Federal Bureau of Investigation are jointly issuing a cybersecurity advisory, 'Russian SVR Targets U.S. and Allied Networks,' that provides specific details on software vulnerabilities that the SVR uses to gain access to victim devices and networks. The advisory also provides specific steps that network defenders can take to identify and defend against the SVR's malicious cyber activity.
Additionally, the SVR's compromise of SolarWinds and other companies highlights the risks posed by Russia's efforts to target companies worldwide through supply chain exploitation. Those efforts should serve as a warning about the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia. The U.S. government is evaluating whether to take action under Executive Order 13873 to better protect our ICTS supply chain from further exploitation by Russia."
Specifically, SVR actors are targeting and exploiting the following vulnerabilities in IT and technology tools, including VPNs and gateways:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Biden administration sanctions Russia for cyberattacks on U.S.
On April 15th, President Biden signed a new sanctions executive order "that provides strengthened authorities to demonstrate the Administration's resolve in responding to and deterring the full scope of Russia's harmful foreign activities."
This includes a laundry list of "wrongs" against the West, both cyber and physical. The White House lists the following:
- "Efforts to undermine the conduct of free and fair democratic elections and democratic institutions in the United States and its allies and partners."
- "Engage in and facilitate malicious cyber activities against the United States and its allies and partners."
- "Foster and use transnational corruption to influence foreign governments."
- "Pursue extraterritorial activities targeting dissidents or journalists."
- "Undermine security in countries and regions important to United States national security."
- "Violate well-established principles of international law, including respect for the territorial integrity of states."
White House blames Russia for 2020 election interference attempts
In addition to the alleged wrongs above, the U.S. says it is sanctioning 32 entities and individuals who carried out Russian government-directed attempts to influence the 2020 U.S. presidential election and committed other acts of disinformation and interference.
Also, the U.S. has expelled ten personnel from the Russian diplomatic mission in Washington D.C. The personnel include representatives from Russian intelligence services.
U.S. pushing for 'cyber norms'
While interviewing international cybersecurity experts at SecureWorld conferences, we've often heard there is something significant lacking in cyberspace that exists in the physical realm of combat: accepted rules or norms. There is no cyber-related Geneva Convention, for example.
In this week's statement by the White House, administration officials say they are working on a solution:
- "The United States continues to strongly affirm the importance of an open, interoperable, secure, and reliable Internet. Russia's actions run counter to that goal, which is shared by many of our allies and partners."
- "We are providing a first-of-its kind course for policymakers worldwide on the policy and technical aspects of publicly attributing cyber incidents, which will be inaugurated this year at the George C. Marshall Center in Garmisch, Germany. We are also bolstering our efforts through the Marshall Center to provide training to foreign ministry lawyers and policymakers on the applicability of international law to state behavior in cyberspace and the non-binding peacetime norms that were negotiated in the United Nations and endorsed by the UN General Assembly."
- "Second, we are reinforcing our commitment to collective security in cyberspace. The Department of Defense is taking steps to incorporate additional allies, including the UK, France, Denmark, and Estonia, into the planning for CYBER FLAG 21-1, which is an exercise designed to improve our defensive capabilities and resiliency in cyberspace."
For more information on SolarWinds, Russia, and the sanctions, you can read the statement from the White House here.
SolarWinds Data Breach Impact: Part 1 — impact on security, government, and nation-state threat actor discussion:
SolarWinds Data Breach Impact: Part 2 — vendor risk management: