U.S. Fingers Putin’s Cozy Bear for SolarWinds Attacks
To the surprise of precisely nobody, President Biden’s three cybersecurity agencies have agreed that last year’s SolarWinds supply-chain attack was orchestrated by the Russian state. Their joint statement also blames Russia for hacking COVID-19 research, stealing red-team tools and poisoning Aleksey Navalny.
The Russian Foreign Intelligence Service (SVR) takes the rap, with its associated APT29 group doing the dirty work. NSA, FBI and CISA publicly pointed the finger yesterday, clearing the way for the Treasury Department to impose sanctions on various Russian organizations and individuals.
Озорной медведь. In today’s SB Blogwatch, we exercise the right to bear arms. [You’re fired—Ed.]
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: STS-1.
Feds Slap SVR
What’s the craic? Dan Goodin reports—“US government strikes back at Kremlin for SolarWinds hack campaign”:
US officials on Thursday formally blamed Russia for backing one of the worst espionage hacks in recent US history and imposed sanctions designed to mete out punishments. [The NSA, FBI and CISA] said that Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply-chain attack on customers of the network management software from … SolarWinds.
[The] joint advisory said that the SVR-backed hackers are behind other recent campaigns targeting COVID-19 research facilities, both by infecting them with malware known as both WellMess and WellMail and by exploiting a critical vulnerability in VMware … Fortinet … Zimbra … Pulse Secure [and] Citrix. … The US Treasury Department, meanwhile, imposed sanctions to retaliate for what it said were “aggressive and harmful activities by the Government of the Russian Federation.” … The Treasury Department also said that the SVR was behind … the theft of “red team tools” … likely related to the offensive tools taken from FireEye.
The most important takeaway from Thursday’s announcements is that the SVR campaign remains ongoing and is currently leveraging the exploits mentioned above. Researchers said … they’re seeing Internet scanning that is intended to identify servers that have yet to patch the Fortinet vulnerability, which the company fixed in 2019. Scanning for the other vulnerabilities is also likely ongoing.
Russian government officials have steadfastly denied any involvement in the SolarWinds campaign.
Over the pond, Gareth Corfield fields, “SolarWinds hack was done by Kremlin’s APT29 crew, say UK and US”:
Russia’s infamous APT 29, aka Cozy Bear, was behind the SolarWinds Orion attack, the US and UK governments said. … One of the sanctioned companies is Positive Technologies, familiar in the West for … exposing vulnerabilities in Intel’s hardware security architecture … probing of rival Russian infosec firm Kaspersky’s security software, and longstanding vulns in GPRS, the 2G data transmission protocol.
The firm has a global presence and has seemingly played down its Russian roots in the West, though a corporate slide deck on its website states it was founded with six employees in Moscow in 2002, originating from the old Xspider antivirus tool.
And Andy Greenberg adds—“US Sanctions on Russia Rewrite Cyberespionage’s Rules”:
Less than four months after … the SolarWinds hack, the US has now sent the Kremlin a message in the form of a punishing package of diplomatic and economic measures. But … what exactly is that message?
Look closely at the SolarWinds sanctions response, and it’s tough to see exactly what rule or norm for the world of state-sponsored hackers the Biden administration is seeking to write—or at least, what rule that the US itself hasn’t broken. [Russia’] corruption of the software supply chain could be seen as uniquely reckless, but the US has tried that too, with operations that have compromised Cisco routers during shipping or built backdoors into the Swiss encryption software firm Crypto AG.
The Treasury Department has leveled new sanctions at six cybersecurity companies [and] four organizations associated with its disinformation operations. [But] some cyberpolicy critics see Biden’s sanctions [as] an incoherent, knee-jerk response designed to satisfy anyone who’d accuse the administration of being soft on Russia.
Separately, Shaun Courtney and Michael Riley feel energised—“Biden Rushes to Protect Power Grid”:
A White House plan to rapidly shore up the security of the U.S. power grid will begin with a 100-day sprint, but take years more to transform utilities’ ability to fight off hackers, according to details of a draft version of the plan confirmed by two people. [The] so-called “action plan” will incentivize power utilities to install sophisticated new monitoring equipment to more quickly detect hackers, and to share that information widely with the U.S. government.
Experts say initiatives to enhance the security of the U.S. electrical grid are years behind better-known efforts to improve the security of data centers and corporate computer systems. At the same time, hackers from Russia, China, Iran and North Korea are launching increasingly aggressive attacks on U.S. power companies, hoping to pre-position malware that could leave U.S. cities and towns in the dark.
Wait. Pause. Isn’t the grid already doing that? Mousit clarifies the rhetoric:
That stuff is only required if you must comply with NERC CIP. CIP compliance, or at least various parts of it. … Cyber security in particular is only required of utilities and service providers above a certain size, or certain number of assets, or coverage area, etc. … Smaller utilities, and especially … rural cooperatives … are often CIP exempt.
I work for one of said rural cooperatives. The main company (which serves the members of the coop) falls under CIP, as it is a sizable generation and transmission provider. However, most of our individual member utilities do not fall under CIP, or many parts of it, and thus aren’t required to have/do a lot of this stuff.
But Russia Russia Russia Russia. We’ve got John H Woods:
My instincts … tell me that it probably was the Russians. … I don’t think it’s a huge stretch that Russia might actually be the bad guys here.
Russia seems to be telling all of us that it is a rogue state in thrall to a gangster oligarchy. This isn’t about Russophobia, or politics (what even are Putin’s politics?), it’s just about his past and current behaviour, and that of Russia whilst under his leadership.
Yeah, yeah. So schwit1 chants “cyber cyber cyber cyber”:
Can the grid survive an EMP or Carrington Event? Or coordinated truck bombs near power stations? Physical damage could take years to fix.
Still, no smoke without fire, thinks this Anonymous Coward:
One of the oddities of computing is that it’s highly democratising. Someone with the patience and access to a machine can learn to break stuff.
Ransomware profits are by all accounts a relatively major source of revenue in the DPRK. … Equally there are business parks outside Moscow with buildings occupied by ransomware firms—legit businesses.
I haven’t seen the evidence either way that one state or another did it, but the smoking gun that all these states are using offensive tactics is not even remotely difficult to find. And, if you think the UK and US aren’t using offensive tactics themselves then you are deluded. Cough, Stuxnet.
Meanwhile, here’s MartianNick:
I almost wish Trump had a Twitter account so I could see what he had to say about this.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: DonkeyHotey (cc:by)