On February 21, Jake Sullivan, the U.S. national security adviser, told CBS television's “Face the Nation” program that those responsible for “SolarWinds,” the massive 2020 cyberattack on the U.S. government, would face a response that included “a mix of tools seen and unseen.”
And he blamed Moscow: “We will ensure that Russia understands where the United States draws the line on this kind of activity.”
Russia’s RT state broadcaster reported on Sullivan’s comments and noted the U.S. intelligence community’s assessment that the hack was “likely Russian in origin.”
“This echoed evidence-free mainstream media claims as well as their own language in ‘assessments’ about the 2016 election,” RT wrote, referring to the 2016 U.S. presidential election. “Moscow has denied any involvement in the SolarWinds breach, calling it ‘yet another unsubstantiated attempt’ by the U.S. to scapegoat Russia.”
The notion that media reports about the SolarWinds hack have been “evidence-free” is false. Although the U.S. has released limited information about the hack, multiple sources have presented evidence pointing to Russia’s involvement.
SolarWinds is a U.S. company that provides computer network management services to the government and private businesses. Clients include defense contractors and federal agencies, including the Justice, Commerce and Treasury departments and the U.S. Centers for Disease Control, among others.
On December 13, the cybersecurity firm FireEye reported that hackers had attached malware to SolarWinds' premier product, the Orion network-monitoring tool, enabling high-level access to client computer networks.
The hackers inserted malicious code into a March 2020 Orion update, in what is called a supply chain attack. That attack infected an estimated 18,000 clients, including the U.S. Defense, Energy, Homeland Security, and State departments.
FireEye itself was a victim of an intrusion that CEO Kevin Mandia said was different “from the tens of thousands of incidents we have responded to throughout the years.”
“We are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in that December 13 statement.
Although FireEye did not mention Russia by name, The New York Times reported the intrusion was handed over to the FBI’s Russia specialists.
Speaking before the U.S. Senate Select Committee on Intelligence on February 23, Mandia said the attack was far broader than SolarWinds and had been part of “a multi-decade campaign.” Without elaborating, he added that “we all pretty much know who [the threat actor] is.”
The hackers behind the months-long attack reportedly accessed Microsoft’s source code. Microsoft President Brad Smith called the hack “the largest and most sophisticated attack the world has ever seen.”
Smith told the U.S. Senate Select Committee on Intelligence on February 23 that “a thousand very skilled, capable engineers worked on this,” adding the scale and sophistication of the operation was unprecedented.
“At this stage we’ve seen substantial evidence that points to the Russian foreign intelligence agency and we’ve found no evidence that leads us anywhere else. So we’ll wait for the rest of the formal steps to be taken by the government and others, but there’s not a lot of suspense at this moment in terms of what we’re talking about,” Smith said.
Both during his Senate testimony and in comments to CBS television’s "60 Minutes” program that aired a week prior to the RT report, Smith drew a connecting line between the vast nature of the SolarWinds hack and Russia’s previous alleged hacking activities in Ukraine.
“What we are seeing is the first use of this supply chain disruption tactic against the United States. But it's not the first time we've witnessed it. The Russian government really developed this tactic in Ukraine,” he told “60 Minutes” in reference to the 2017 NotPetya ransomware attack. The CIA concluded with “high confidence” that Russia’s military intelligence agency, the GRU, carried out that attack.
SolarWinds consultant Alex Stamos directly blamed Russia’s Foreign Intelligence Service (SVR). “One of the reasons that this campaign has been able to last for well over a year is because they [the SVR] are incredibly subtle about the intrusion into all these companies,” the tech publication CRN quoted Stamos as telling SolarWinds CEO Sudhakar Ramakrishna during a webinar weeks prior to the RT report.
U.S. intelligence agencies released a statement in January saying the SolarWinds hack was “an intelligence gathering effort” which was “likely Russian in origin.” Some Western intelligence agencies believe the SVR led the APT29 hacking group, also known as “Cozy Bear.”
In January, Reuters reported what it called “the first publicly available evidence” corroborating U.S. claims Russia was behind the SolarWinds attack.
Reuters cited the Moscow-based cybersecurity firm Kaspersky Lab, which said it had found “specific code similarities” between Sunburst — the malware used in the SolarWinds intrusion — and an alleged Russian hacking tool called Kazuar.
According to Reuters, Kazuar had been employed by the Turla or “Venomous Bear” hacking group, which is believed to work under the auspices of Russia’s Federal Security Service (FSB), the successor organization to the Soviet KGB.
Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, said the “identified connection does not give away who was behind the SolarWinds attack.”
He did note the three matches in malware functionality were not “a copy-paste effort,” but more like the “handwriting” which “propagates to different projects written by the same person."
Kaspersky itself has been accused of working with the FSB. The company was subsequently banned from providing services to the U.S. government. Kaspersky denied it had had any inappropriate relationships with any government, and offered to disclose its source code to the U.S. government for audit, the security and risk management website CSO reported.
Dmitri Alperovitch, the cofounder and former chief technology officer of security firm CrowdStrike, told Wired the Kaspersky findings confirm “the attribution to at least Russian intelligence.”
As for the 2016 U.S. presidential election, in 2019, the then Republican-led U.S. Senate Intelligence Committee issued a report concluding, after three years of investigations, that “Russian President Vladimir Putin ordered the Russian effort to hack computer networks and accounts affiliated with the Democratic Party and leak information damaging to Hillary Clinton and her campaign for president.”
As Polygraph.info has reported, Moscow has denied allegations and evidence that Russian state hackers targeted governments and influential international institutions and organizations.
Russian hacking operations have targeted Olympic committees, the World Anti-Doping Agency, the United Nations Agency for Prohibition of Chemical Weapons and the joint international team investigating the 2014 downing of Malaysian passenger jet MH17 over Ukraine, which killed all 298 people on board.
Russian hackers believed to be part of Cozy Bear have also been implicated in efforts to steal COVID-19 vaccine research.