As has long been anticipated, US president Joe Biden has today (15 April) signed an executive order imposing fresh sanctions on Russia over a pattern of malicious cyber attacks against the US and allies, including the December 2020 SolarWinds attacks, which it has now formally attributed to the Russian state-backed APT29, or Cosy Bear.
The US administration said that although it wanted a stable and predictable relationship with Moscow, it was clear that it had to defend its interests and impose costs on the Russian government over its actions in cyber space.
The administration said it was now highly confident that Cosy Bear was behind the “broad-scope cyber espionage campaign” that exploited malicious code inserted into the SolarWinds Orion platform and some other IT infrastructures. This enabled Russia’s foreign intelligence service, the SVR, to spy on and disrupt the systems of thousands of organisations on a global scale, although it was mainly government bodies that were targeted.
The US said the scope of the compromise was such that it was a clear national and public security concern, and placed an undue burden on the private sector victims that bear the “unusually high” mitigation costs.
It also said the attack on SolarWinds highlighted the risks posed by Russian attempts to target victims via their supply chains and served as a warning of the risks of using ICT and services supplied by companies that operate or store user data in Russia, or rely on software development or technical support there. To this end, it has censured six Russian tech firms that work with the SVR’s cyber programme.
The US government said it would also bolster its efforts to “promote a framework of responsible state behaviour in cyber space” and cooperate with allies and partners. Biden trailed the creation of a cyber policy course covering attack attribution, and further training for policymakers on how international law can be applied to cyber space. The US will also bring a number of allies into its planned Cyber Flag 21-1 cyber defence and resiliency planning exercises – this will include the UK, as well as Denmark, Estonia and France.
The wider sanctions forbid US financial institutions from taking part in the market for ruble or non-ruble denominated bonds, or lending ruble or non-ruble denominated funds to Russia’s Central Bank, National Wealth Fund or Ministry of Finance; sanction 32 entities and individuals thought to be involved in attempts to throw the controversial 2020 US presidential election off course, and eight individuals and entities associated with Russia’s attacks on Ukraine and continued illegal occupation of Crimea; and expel 10 intelligence operatives from Russia’s Washington DC embassy.
At the same time, the US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have today issued an alert to expose further SVR-linked exploitation of five common vulnerabilities and exposures (CVEs) to target both public and private sector organisations in the US and around the world.
In a joint statement, the agencies said mitigating these CVEs was critically important as US and allied networks were constantly being scanned, targeted and exploited by Moscow-backed groups. Beyond the SolarWinds Orion compromise, the SVR has been spotted targeting Covid-19 research facilities with malware through a VMware vulnerability.
The listed vulnerabilities are CVE-2018-13379, a path traversal vulnerability in Fortinet FortiGate VPN; CVE-2019-9670, an XML external entity injection vulnerability in Synacor Zimbra Collaboration Suite; CVE-2019-11510, which enables remote attackers to perform arbitrary file reads via Pulse Secure Pulse Connect Secure VPN; CVE-2019-19781, a now infamous vulnerability in Citrix Application Delivery Controller and Gateway, which allows directory traversal; and CVE-2020-4005, a command injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector.