The US government has formally accused Russia of being behind the espionage hack on SolarWinds. An attack campaign would still be ongoing.
In a joint statement, the US National Security Agency NSA, the Federal Police FBI and the cybersecurity agency CISA have indicated that they are formally responsible for the SolarWinds hack in Russia. In that attack, an update to SolarWinds’ management software was injected with malware to install backdoors on 18,000 customers and break into a whole range of companies and organizations. The victims of those burglaries include major tech companies and a range of US government agencies.
According to Rob Joyce, director of cybersecurity at the NSA, this is a particularly bold form of espionage that goes against some unwritten rule in the world. “We definitely saw espionage,” he said at a press conference, “but what worries us is that with the platform and the access they were given, there was also the ability to do other things, and we can’t allow that. That is why the American government is going to impose costs and fight against these activities. ‘
According to the press conference, the SVR, the Russian secret service, has supported attackers who break into organizations investigating COVID-19. They use the malware WellMess and WellMail, and vulnerabilities in VMware. Even more annoying: this attack campaign would still be in full swing.
Organizations that have not yet fully patched VMware or that are behind with patches for some critical bugs in VPN software from Fortinet, Pulse Secure and Citrix (many of those patches were released last year) are especially at risk, as these bugs are still exploited by the SVR, according to the US government. Researchers would have found scanning activities that should find servers on which, for example, the patch for the Fortinet vulnerability has not yet been rolled out.
The sanctions include financial measures against six companies from Russia that would assist the Russian secret service. The US also expels ten Russian diplomats, five of whom are members of the Russian secret service. US banks’ ban on trading in Russian government bonds is also being extended. The Russian government has consistently denied having anything to do with the SolarWinds hack.