It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US

Russia’s infamous APT 29, aka Cozy Bear, was behind the SolarWinds Orion attack, the US and UK governments said today as America slapped sanctions on Russian infosec companies as well as expelling diplomats from that country’s US embassy.

One of the sanctioned companies is Positive Technologies, familiar in the West for, among other things, in-depth research exposing vulnerabilities in Intel’s hardware security architecture.

Formal attribution of the SolarWind hacks, echoing tentative findings made by Kaspersky Lab, came in a US Treasury Department statement issued this afternoon.

The compromise saw Russian state intelligence operatives carefully compromise the build systems of SolarWinds’ network monitoring software Orion to distribute a backdoor into its 18,000 customers. Those customers included the UK and US governments, among many others.

We see what Russia is doing to undermine our democracies

“The Russian Intelligence Services’ third arm, the SVR, is responsible for the 2020 exploit of the SolarWinds Orion platform and other information technology infrastructures. This intrusion compromised thousands of US government and private sector networks,” said the US Treasury.

The American attribution was echoed by the British government with Foreign Secretary Dominic Raab saying in a statement: “We see what Russia is doing to undermine our democracies. The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.”

The US Defence Department added: "Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse."

The NCSC also said in a public statement that “the overall impact on the UK of the SVR’s exploitation of this software is low.” Government departments have refused to even talk about the impact of the Orion compromise despite it being in widespread use around Whitehall and further afield, lending credibility to the notion that UK.gov was more widely hit by the breach than it wants to admit.

Paul Prudhomme, head of Threat Intelligence Advisory at threat intel biz IntSights told The Register: “The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups. It nonetheless remains unclear what specific data points enabled the attribution to the Russian APT29 in particular with such a high level of confidence."

Positive Technologies sanctions

The US has sanctioned five Russian cyber security companies for their involvement with the Russian state’s cyber attacks against the West. Chief among those is Positive Technologies, which has a fair-sized UK presence and targets the telecoms industry among other sectors.

“Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU,” said the US Treasury.

Its international biz website says it was "spun out from the telecom division of Positive Technologies in 2019, as a separate business entity based out of Switzerland and headquartered in the United Kingdom."

The firm has a global presence and has seemingly played down its Russian roots in the West, though a corporate slide deck on its website states it was founded with six employees in Moscow in 2002, originating from the old Xspider antivirus tool.

The company has also carried out legitimate security research in accordance with Western norms and which it has published for all to read; many of those were covered on The Register, including probing of rival Russian infosec firm Kaspersky’s security software and longstanding vulns in GPRS, the 2G data transmission protocol.

One area Positive has special interest in within the UK is telecoms, raising fears of a second Huawei-style situation emerging as a sanctioned company finds itself in the middle of a political bunfight. We have asked all of the UK’s mobile network operators whether they are customers of Positive and will be reporting further if the answer is "yes."

We have asked Positive for comment on the sanctions and will update this article when it responds.

Other sanctioned outfits included ERA Technopolis, aka Pasit; Neobit, an infosec firm which was also the alma mater for a Russian spy who sneaked into Microsoft back in 2010; the Russian state compsci research institution; and a Russian business called Advanced System Technology AO.

US persons are banned from doing business with any of the above. ®