US Sanctions Russia Over SolarWinds Attack, Election MeddlingBiden Administration Attributes SolarWinds Attack to Russia's Foreign Intelligence Service
The Biden administration on Thursday formally sanctioned Russia over the cyberespionage operation that targeted SolarWinds and its customers, including nine federal agencies, as well as the disinformation campaign tied to the 2020 U.S. elections.
In addition to economic and other sanctions announced Thursday, a group of U.S. intelligence agencies, including the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency, formally accused the Russian Foreign Intelligence Service, or SVR, of carrying out the attack that targeted SolarWinds and users of its Orion network monitoring platform.
Besides the sanctions against Vladimir Putin's government, the Biden administration is sanctioning more than 30 Russian companies and individuals accused of supplying tools, infrastructure and technologies for various cyber operations or participating in the election-related disinformation campaign (see: US Intelligence Reports: Russia, Iran Targeted 2020 Election).
The Biden administration is also expelling 10 Russian diplomats from the U.S. The Obama administration took similar action in December 2016, when it expelled over 30 Russian diplomats as a response to interference in the presidential election that year.
In addition, the Treasury Department will now prohibit U.S. financial institutions from participating in the primary market for ruble or non-ruble denominated bonds issued after June 14 by a number of Russian agencies, including the nation's Central Bank, National Wealth Fund and Ministry of Finance.
The sanctions also included the confiscation of U.S. property from the individuals listed in the executive order.
President Joe Biden said that the sanctions would seek to address the Russian government's "efforts to undermine the conduct of free and fair democratic elections and democratic institutions in the United States and its allies and partners; [and] to engage in and facilitate malicious cyber-enabled activities against the United States and its allies and partners."
Reactions to Biden's Actions
While the sanctions against Russia highlight both the SolarWinds attack and the disinformation campaign against last year's U.S. elections, the Biden administration is also seeking to punish Russia for several other actions, including its military actions in Ukraine and Crimea.
Tom Kellermann, head of cybersecurity strategy for VMware and a member of the Cyber Investigations Advisory Board for the U.S. Secret Service, calls on the administration to go one step further and counter Russia's actions with its own cyber campaign.
"I commend the sanctions and expulsions. However, they should be bolstered by a proportionate cyber campaign," Kellermann says. "The challenge with traditional sanctions is they do not impact the true assets of the 'bad actors' that are sheltered in virtual currency and real estate."
Kevin Mandia, the CEO of security firm FireEye, which first discovered the SolarWinds supply chain attack in December 2020, also praised the Biden administration for the sanctions and naming the Russian SVR as the main group behind the incident. But he, too, said the administration needs to do more.
"This is a positive, welcome step toward adding more friction to Russian operations. Simply naming the SVR, as well as the corporations that support it, will inform our defense," Mandia says. "Unfortunately, we are unlikely to fully deter cyberespionage and we will have to take serious action to better defend ourselves from inevitable future intrusions."
The Russian sanctions "are another classic reactive tool to respond to these types of incidents, but how well they work is up for debate, with the literature being divided and the conclusion being context-specific," says Scott Shackelford, chair of Indiana University's cybersecurity program. "Given the degree of ongoing sanctions and resulting isolation that [Russian President Vladimir] Putin has already shown that he’s willing to tolerate, though, I would be surprised if this most recent round of targeted sanctions causes him to change course - but I would be happy to be proved wrong."
Likewise, Dmitri Alperovitch, the former CTO of CrowdStrike, noted Thursday on Twitter that it's unclear whether the sanctions will change the behavior of the SVR or other Russian agencies.
So regardless of whether one thinks SolarWinds/HolidayBear is acceptable espionage (as I do), there is certainly cause to sanction SVR for past behavior— Dmitri Alperovitch (@DAlperovitch) April 15, 2021
Whether that’s actually smart to do and/or accomplishes much is for another thread 2/2
Thursday's action against Russia is the second time the Biden administration has issued sanctions against the country this year. In March, the White House and the State Department announced measures against several Russian individuals who the U.S. government believes were responsible for the attempted assassination of Russian opposition figure Aleksei Navalny in August 2020 and his subsequent imprisonment in January.
More Actions Anticipated
Since taking office in January, President Biden had promised to respond to Russia for the SolarWinds supply chain attack. Over the last several weeks, the investigation into the intrusion has been overseen by Anne Neuberger, the deputy national security adviser for cyber and emerging technology (see: White House Taps Neuberger to Lead SolarWinds Probe).
The Biden administration is also preparing several executive orders that will address the cybersecurity shortcomings that have come to light since the SolarWinds attack was first discovered in December 2020. These actions could include a security scorecard and rating system for U.S. software. None of these orders were released Thursday (see: Exchange Hacks: How Will the Biden Administration Respond?).
The main sanctions that the Biden administration unveiled Thursday were aimed at affecting the Russian government's sovereign debt. In a call with reporters Thursday, a senior administration official, who spoke on condition of anonymity, noted that previous sanctions had not focused on this part of the Russian economy.
"Before we took this action, our sanctions prohibitions only prevented U.S. persons from purchases of non-ruble denominated debt at issuance. This meant the vast majority - over 80% - of the sovereign debt that Russia issues - the ruble-denominated portion - was untouched by our sanctions regime," the senior official said. "We’ve now expanded our prohibitions to cover this space, and we’re also delivering a clear signal that the president has maximum flexibility to expand the sovereign debt prohibitions if Russia's maligned activities continue or escalate."
Other sanctions, however, targeted several specific Russian-based organizations and individuals who are accused of participating in cyber operations and disinformation campaigns.
The Treasury Department lists six technology companies or research organizations that the U.S. government claims support Russia's cyber operations: ERA Technopolis; Pasit, AO; Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation; Neobit, OOO; Advanced System Technology, AO; and Pozitiv Teknolodzhiz, AO (Positive Technologies).
Also, the Treasury Department's Office of Foreign Assets Control is enforcing sanctions against 16 entities and 16 individuals who the U.S. government believes attempted to interfere in the 2020 election.
Among those listed is Konstantin Kilimnik, a Russian and Ukrainian campaign consultant who is believed to have given sensitive polling data and other data related to U.S. elections to Russia's intelligence services. In 2018, he was indicted by the U.S. Justice Department on obstruction charges. The FBI is currently offering $250,000 for information leading to his arrest.
As a result of the sanctions, any of the organizations or individuals listed could have their U.S. property confiscated. And American businesses and citizens are now prohibited from doing business with these organizations and Russian citizens.
SVR and SolarWinds
While the U.S. government agencies investigating the attack against SolarWinds announced that a Russian-linked group was likely responsible for the intrusion, Thursday marked the first time that the NSA, CISA and the FBI have formally linked the campaign to Russia's SVR, which is also referred to APT29, Cozy Bear and The Dukes. The SVR is believed to be one of the Russian spy agencies responsible for targeting the Democratic National Committee in 2016 (see: Final Report: More 2016 Russian Election Hacking Details).
"The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR" for the SolarWinds attack, according to the White House statement.
The NSA, the FBI and CISA released an alert that notes SVR is continuing to exploit five vulnerabilities in several IT products and services, and they warn that government agencies and private companies should immediately patch or mitigate these issues. The flaws include:
- CVE-2018-13379 in certain Fortinet products;
- CVE-2019-9670 in certain Zimbra products;
- CVE-2019-11510 in some Pulse Secure products;
- CVE-2019-19781 in some Citrix products;
- CVE-2020-4006 in certain VMware products
Before Thursday, security experts such as Alperovitch and others have said since the SolarWinds attack was first detected that the operation was likely conducted by SVR and that it was likely an espionage operation designed to collect intelligence and data and not a destructive attack that is typically launched by the Russian Main Intelligence Directorate, also known as the GRU (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
Since the discovery of the SolarWinds attack, the Russian government has denied any involvement in the intrusion. Russia has also denied trying to influence U.S. elections. Biden spoke with Putin on Tuesday, but it's not clear from a White House statement if the two discussed the sanctions.
On Thursday, the Russian Foreign Ministry released a statement noting: "U.S. aggressive behavior will certainly lead to a decisive rebuff; there will be an inevitable response to the sanctions."
At a House Intelligence Committee hearing on Thursday, Director of National Intelligence Avril Haines told lawmakers that Russia will likely respond to the sanctions.
"There will probably be a certain amount of tit for tat," such as Russia expelling certain U.S. diplomats, she said.