The US government strikes back in the Kremlin for the SolarWinds hack campaign


Matt Anderson Photography / Getty Images

US officials on Thursday officially accused Russia of facilitating one of the worst espionage hacks in recent US history, and imposed sanctions to impose penalties for this and other recent actions.

In a joint report, the National Security Agency, the FBI and the Agency for Cybersecurity and Information Security announced that the Russian Foreign Intelligence Service, abbreviated as SVR, carried out the supply chain attack on customers of the Austin, Texas network management software, SolarWinds.

The process infected SolarWinds’ software build and distribution system and used it to route backdoor updates to approximately 18,000 customers. The hackers then sent user data to around 10 US federal agencies and around 100 private organizations. In addition to attacking SolarWinds’ supply chain, the hackers also used password guessing and other techniques to break networks.

After the massive operation came to light, Microsoft President Brad Smith called it an “act of ruthlessness.” In a call with reporters Thursday, Rob Joyce, director of cybersecurity for the NSA, reiterated his assessment that the operation went beyond established government espionage norms.

“We saw absolute espionage,” said Joyce. “But what is concerned, from this platform, from the wide availability of access that they have achieved, there is the ability to do other things and we cannot tolerate that, and so the US government bears a cost on and.” pushes back on these activities. “

Thursday’s joint recommendation said the SVR-backed hackers are behind other recent campaigns targeting COVID-19 research institutions by infecting them with both WellMess and WellMail malware and identifying a critical vulnerability in VMware Exploit software.

The report goes on to say that Russian intelligence is continuing its campaign, including by targeting networks that have not yet fixed any of the five critical vulnerabilities below. Including the VMware bug, these are:


  • CVE-2018-13379 Fortinet FortiGate VPN
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway
  • CVE-2020-4006 VMware Workspace ONE access

“Mitigating these security loopholes is of crucial importance as US and allied networks are constantly being scanned, targeted and exploited by state-sponsored Russian cyber actors,” the report said. The NSA, CISA, and the FBI strongly encourage all cybersecurity actors to review their networks for compromise indicators related to all five vulnerabilities and the techniques described in the opinion and to urgently implement related remedial actions.


Meanwhile, the US Treasury Department imposed sanctions to seek revenge on “aggressive and harmful activities by the government of the Russian Federation”. The measures include new bans on Russian national debt and sanctions against six Russian-based companies that, according to the Treasury Department, “supported the efforts of Russian intelligence agencies to conduct malicious cyber activities against the United States.”

The companies are:

  • ERA Technopolis, a research center run by the Russian Defense Ministry to transfer the staff and expertise of the Russian technology sector to the development of technologies used by the country’s military. ERA Technopolis supports the Russian General Intelligence Directorate (GRU), a body responsible for offensive cyber and information operations.
  • Pasit, a Russia-based information technology company that conducted research and development in support of malicious cyber operations by the SVR.
  • SVA, a Russian state research institute specializing in advanced information security systems in this country. SVA has conducted research and development in support of SVR’s malicious cyber operations.
  • Neobit, an IT security company based in Saint Petersburg, Russia, whose customers include the Russian Ministry of Defense, the SVR and the Russian Federal Security Service. Neobit researched and developed in support of the cyber operations of the FSB, GRU and SVR.
  • AST, a Russian IT security company whose clients include the Russian Ministry of Defense, SVR and FSB. AST provided technical support for cyber operations carried out by FSB, GRU and SVR.
  • Positive Technologies, a Russian IT security company serving customers of the Russian government, including the FSB. Positive Technologies provides security solutions for computer networks to Russian companies, foreign governments and international companies and holds recruitment events for the FSB and GRU.


“The reason they were called in is because they are an integral part and participant in the operation the SVR is conducting,” Joyce said of the six companies. “We hope that by the SVR’s refusal to support these companies, we will affect their ability to project some of this malicious activity around the world, and particularly in the US.”

Russian government officials have steadfastly denied any involvement in the SolarWinds campaign.

In addition to attributing the SolarWinds campaign to the Russian government, the Finance Ministry’s dismissal on Thursday also said the SVR was behind the August 2020 poisoning of Russian opposition leader Aleksey Navalny with a chemical weapon aimed at Russian journalists and others who Openly criticizing the Kremlin and the theft of “Red Team Tools” that use exploits and other attack tools to mimic cyber attacks.

The “Red Team Tools” reference likely referred to the offensive tools from FireEye, the security firm that first identified the Solar Winds campaign after it was discovered that their network was breached. The Treasury Department went on to say that the Russian government “cultivates and co-opts criminal hackers” to crack down on US organizations. A group known as Evil Corp. was sanctioned in 2019. In the same year, prosecutors sued the kingpin Maksim V. Yakubets of Evil Corp. and provided a $ 5 million bounty for information leading to his arrest or conviction.

Although overshadowed by the sanctions and the formal attribution to Russia, the main lesson from Thursday’s announcements is that the SVR campaign is still ongoing and is currently using the above exploits. Researchers said Thursday that they are seeing internet scans designed to identify servers that have not yet addressed the Fortinet vulnerability, which the company fixed in 2019. The search for other vulnerabilities is also likely to continue.

Bulk scan activity detected by (🇸🇬) targeting Fortinet VPN servers susceptible to unauthenticated reading of any file (CVE-2018-13379) resulting in clear username and password disclosure. #threatintel

– Bad Packets (@bad_packets) April 15, 2021

Individuals who administer networks, especially those who have not yet addressed any of the five vulnerabilities, should read the latest CISA alert, which provides full technical details about the ongoing hacking campaign and ways to identify and mitigate tradeoffs.


Steven Gregory