White House formally blames Russian intelligence service SVR for SolarWinds hack

In a press release today announcing a broad set of sanctions against the Russian government, the Biden administration has formally named the Russian Foreign Intelligence Service, also known as the SVR, as the perpetrator of the 2020 SolarWinds Orion supply chain attack.

The White House said that SVR's hacking unit, known as APT 29Cozy Bear, or The Dukes, "exploited the SolarWinds Orion platform and other information technology infrastructures" as part of a "broad-scope cyber espionage campaign."

The SVR achieved this by gaining access to the internal network of Texas-based software maker SolarWinds and inserting malware in a version of the Orion IT monitoring application.

SolarWinds customers downloaded and installed the update, along with the SVR's malware, which allowed Russian operatives to gain a foothold in high-value targets, where they deployed additional malware to compromise internal and cloud-based systems and steal sensitive information.

"The SVR's compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide," the White House said today.

Tens of US government agencies were among the victims of this broad cyber-espionage campaign.

The State Department, the Department of Justice, the Department of Energy, the Cybersecurity and Infrastructure Agency, and the Treasury Department were among the biggest agencies to disclose compromises.

In January, Russian government officials disputed early news reports that Kremlin-sponsored hackers might have been behind the attacks.

However, today, US intelligence officials said they had "high confidence" in their assessment that the SVR was behind the SolarWinds supply chain attack, but also other operations that targeted US government entities that took place at the same time.

The UK government also confirmed and supported the White House's attribution of the SolarWinds attack to the SVR. The European Commission released a statement blaming the SolarWinds hack on Russia, but did not go as far as to attribute it to the SVR.

Six Russian firms sanctioned for supporting SVR operations

Along with the White House statement, the Treasury Department also imposed sanctions today against six Russian technology firms that the US government believes had helped the SVR with technical expertise and service during past operations. These six include:

  • ERA Technopolis - a research center and technology park funded and operated by the Russian Ministry of Defense. ERA Technopolis houses and supports units of Russia's Main Intelligence Directorate (GRU) responsible for offensive cyber and information operations and leverages the personnel and expertise of the Russian technology sector to develop military and dual-use technologies.
  • Pasit - a Russia-based information technology (IT) company that conducted research and development in support of Russia's Foreign Intelligence Service's (SVR) malicious cyber operations.
  • SVA - a Russian state-owned research institute specializing in advanced systems for information security located in Russia. SVA conducted research and development in support of the SVR's malicious cyber operations.
  • Neobit - a Saint Petersburg, Russia-based IT security firm whose clients include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB). Neobit conducted research and development in support of the cyber operations conducted by the FSB, GRU, and SVR. Neobit was also designated today pursuant to cyber-related EO 13694, as amended by EO 13757, WMD-related E.O. 13382, and the Countering America's Adversaries Through Sanctions Act (CAATSA) for providing material support to the GRU. 
  • AST - a Russian IT security firm whose clients include the Russian Ministry of Defense, SVR, and FSB. AST provided technical support to cyber operations conducted by the FSB, GRU, and SVR. AST was also designated today pursuant to EO 13694, EO 13382, and CAATSA for providing support to the FSB.
  • Positive Technologies - a Russian IT security firm that supports Russian Government clients, including the FSB. Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU. Positive Technologies was also designated today pursuant to EO 13694, EO 13382, and CAATSA for providing support to the FSB.

The Treasury said the six companies also helped two other Russian intelligence agencies (the Federal Security Service [FSB] and Russia's Main Intelligence Directorate [GRU]) during their respective past cyber operations.

Of note, the Treasury's sanctions list also includes a famous name in Russian security firm Positive Technologies, which is globally known for its work in cybersecurity vulnerability research.

Today marks the second time a Russian security firm was sanctioned by the US Treasury Department for supporting foreign Russian state hacking operations. The previous two, Embedi and ERPScan, were added to the sanctions list in June 2018 for supporting the FSB. The sanctions were levied in the aftermath of the NotPetya ransomware attack.

Once on the sanctions list, US entities are prohibited from interacting or doing business with these entities without express approval from the US government.

The North Atlantic Treaty Organization (NATO) also issued a statement in support of the White House sanctions, which covered additional Russian "disruptive operations" beyond the SolarWinds hack, such as bounties put on US soldiers, its invasion of Ukraine, and past election interference. Russia previously warned that today's sanctions might lead to a real-world confrontation.

The US National Security Agency also released a list of five vulnerabilities that SVR hacking units had recently used in attacks.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.