Anticipated for months, the Biden administration unveiled a sweeping set of sanctions and other actions against the Russian government, as well as private individuals and a number of Russian tech and defense companies, that U.S. authorities claim assisted Russian intelligence in hacking and election interference schemes.
In an executive order released Thursday morning, President Joe Biden cited Russian “efforts to undermine the conduct of free and fair democratic elections” as well as their “malicious cyber-enabled activities against the United States and its allies and partners” along with other offenses. The order gives the attorney general and secretaries of State and Treasury the authority to seize or block property and assets of any individual or business in the tech or defense sector if a determination is made that they have been aiding Moscow in these operations.
The order was followed soon after by supporting efforts from various agencies across government, and endorsement from cybersecurity industry. At the same time, some expressed skepticism that the moves would actually stymie cyberespionage efforts, emphasizing the need for public and private organizations to improve system defenses.
The Department of the Treasury moved quickly to leverage those new authorities, announcing the same day that six Russian technology and cybersecurity organizations would be subject to sanction. They include research center ERA Technopolis, which officials say “houses and supports” Russia’s Main Intelligence Directorate (GRU) engaged in offensive cyber operations and development of dual use military technology. Also included in the sanctions are technology and security companies Pasit, Neobit, and AST, all three of whom are alleged to have done research and development for malicious cyber operations carried out by GRU, the Foreign Intelligence Service (SVR) or the Federal Security Services (FSB).
Another company, Positive Technologies, conducts vulnerability research and is not directly accused of supporting malicious Russian cyber operations, but rather supporting Russian government clients including the FSB and hosting “large-scale conventions that are used as recruiting events for the FSB and GRU.”
In a lengthy statement released the day after the sanctions dropped, Positive Technologies denied what it called “the groundless accusations made by the U.S. Department of the Treasury,” saying it had operated ethically for 20 years and no one has ever presented evidence that their vulnerabilities were being passed along to the Russian government. They also flatly denied that their work is used for anything other than defensive cybersecurity purposes.
“Our researchers detect hundreds of zero-day vulnerabilities per year in IT systems of various classes and types,” the company said. “All of the vulnerabilities found, without exception, are provided to the software manufacturers as part of the responsible disclosure policy and are not made public until the necessary updates are released.”
They defended their conference, Positive Hack Days as “a public platform for the exchange of expertise, learning and advanced training in cybersecurity” that draws attendees from “different countries, the CTF movement, scientists, students and even schoolchildren.” They did not directly address claims made by Treasury that Russian intelligence agencies may be using the forum to recruit, though U.S. cybersecurity experts have pointed out that similar claims could be made of American intelligence officials and many U.S.-based security conferences.
A separate set of sanctions were slapped on four websites that Treasury executives flagged as propaganda outlets for the Kremlin and Alexei Gromov, first deputy chief of staff for the Russian president, for their participation in election interference schemes against the U.S. and other countries.
“The president signed this sweeping new authority to confront Russia’s continued and growing malign behavior,” said Treasury Secretary Janet Yellen in a statement. “Treasury is leveraging this new authority to impose costs on the Russian government for its unacceptable conduct, including by limiting Russia’s ability to finance its activities and by targeting Russia’s malicious and disruptive cyber capabilities.”
Meanwhile, the National Security Agency, Cybersecurity and Infrastructure Security Agency and FBI released a joint cybersecurity advisory for five critical vulnerabilities they say are being actively exploited by SVR operatives alongside a formal attribution by the U.S. government that Russian agencies were behind the Solar Winds hack last year. That attribution was backed up by Five Eyes intelligence allies, NATO and others in similar announcements today.
The vulnerabilities highlighted include a 2019 flaw in Fortinet’s FortiGate VPN, a 2019 external entity injection vulnerability in Zimbra’s Collaboration Suite, an arbitrary file reading vulnerability in Pulse Secure, a directory traversal flaw in Citrix Application Delivery Controller and Gateway and a command injection vulnerability in VMWare products. All but one of those vulnerabilities were discovered and publicized in 2019, highlighting how frequently nation-state hacking groups leverage older vulnerabilities to target unpatched victim systems and networks.
The joint advisory said Russian agencies like SVR are exploiting public facing applications, leveraging external remote services, compromising supply chains, using valid accounts, leveraging software bugs to gain credential access and forging web credentials in their operations. U.S. Cyber Command bolstered those findings by uploading at least eight fresh malware samples on the analyzer tool Virus Total that the Pentagon attributes to APT29, a hacking group within SVR. The samples include new malware variants of GoldMax, GoldFinder, Sibot and associated files which were used to compromise a single victim network.
The advisory also warned organizations that if their networks are compromised, the Russians won’t be easy to kick out.
“Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions,” the agencies wrote. “Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.”
The combined moves were part of a long-anticipated response from the Biden administration for what that they and Democrats see as years of inadequate consequences imposed on Moscow by the Trump administration. It should be noted that Russian entities and individuals were sanctioned multiple times during the Trump administration for cyber-related and other offenses, but the SolarWinds compromise opened fresh wounds that have caused some members of Congress to call for more aggressive actions.
“The scale and scope of this hack are beyond any that we’ve seen before, and should make clear that we will hold Russia and other adversaries accountable for committing this kind of malicious cyber activity against American targets,” said Sen. Mark Warner,D-Va., in a statement. “Across both the public and private sector, we have a lot of work to do to deter our adversaries from conducting these types of damaging intrusions, and to guard against future interference in our elections. But this is a good first step in making clear that these sorts of actions are unacceptable and will be met with consequences.”
Still, others expressed skepticism that the moves would meaningfully deter future operations by the Russian government, citing how similar actions by previous administrations failed to do so.
"I do want to observe that as much as I support what the president said today in terms of retaliation, I do remember four years ago roughly when the Obama administration announced a similar suite, and they just keep doing it,” said Rep. Jim Hines, D-Conn., who sits on the House Permanent Select Committee on Intelligence, in a congressional hearing shortly after the news was announced.
Outside of government, executives from threat intelligence provider FireEye – which discovered the SolarWinds hack while investigating their own compromise – and technology trade groups like the Information Technology and Innovation Foundation echoed a similar refrain: while the actions are welcome, they’re not likely to alter Moscow’s calculus.
“Simply naming the SVR, as well as the corporations that support it will inform our defense,” said FireEye CEO Kevin Mandia. “Unfortunately, we are unlikely to fully deter cyber espionage and we will have to take serious action to better defend ourselves from inevitable future intrusions.”
This is a developing story. Check back for updates.