WASHINGTON — The White House Thursday morning accused the Russian Foreign Intelligence Service, or SVR, of orchestrating the recent massive breach that affected private sector networks and U.S. government agencies through the popular IT monitoring software made by SolarWinds.
The statement linking the SVR’s hacking group, also known as “Cozy Bear,” to the “broad-scope cyber espionage campaign” is the most concrete connection the Biden administration has made between the hack and Russia. The damage was first uncovered in the final days of the Trump administration, which described the attack as “likely Russian.”
“The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide,” according to the White House statement, which also included a number of measures directed against the Russian government for a range of malign activities in addition to the SolarWinds breach. “The scope of this compromise is a national security and public safety concern,” the White House said.
According to the White House, the U.S. intelligence community, which has been investigating the breach, has “high confidence” that the SVR is the culprit. That’s the strongest level of certainty the community uses in describing its assessments.
During a recent webinar, Anne Neuberger, the deputy national security adviser for cyber and emerging technology and President Biden’s top cyber adviser, warned that the SolarWinds breach, while clearly a sophisticated espionage campaign designed to leave no trace, could “in a moment” become something more serious. Hackers could use that access to launch a destructive attack, or publicly release the data they stole, as when Russian intelligence agencies dumped broad troves of emails belonging to Democrats during the 2016 U.S. presidential election.
In a joint advisory Thursday morning, the National Security Agency, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released technical details about vulnerabilities being exploited by the SVR, in order to allow affected companies and agencies to patch their software. The release focused on “publicly known vulnerabilities,” or flaws in code that have already been made public but that adversaries can continue exploiting when users fail to patch them.
The government’s Thursday announcement included sanctions against multiple companies involved in providing technical support or resources to the SVR, as well as the broader recommendation that anyone using software or hardware with ties to Russia reconsider that decision.
According to a senior administration official who spoke with journalists Thursday morning, the U.S. government has already mandated that the nine government agencies affected by the SolarWinds breach ramp up cybersecurity standards. The White House is also planning to move forward with other measures soon, including an executive order on protecting federal networks, which will require companies that sell software products to the U.S. government to do cybersecurity reviews and report breaches.
The SolarWinds breach has led to a debate about whether the NSA, which focuses on foreign networks, requires additional authority in order to monitor domestic networks so as to detect anomalous activity such as this breach. Without the initial identification of the breach by the cybersecurity company FireEye, which was among its victims, it’s unclear when the U.S. government would have learned of the vulnerability being exploited by the SVR.
While intelligence officials have told lawmakers they are not requesting additional authority to look into U.S. networks, NSA Director Paul Nakasone has made clear there is a “gap” in visibility that the agency needs to find ways around, in particular through partnership with the private sector. But it’s unclear whether additional visibility into U.S. networks would have allowed the NSA to make quicker detection regardless, experts have speculated, particularly because the DHS’s own systems tracking U.S. networks didn’t detect the well-disguised breach.
The announcement of formal attribution to the Russian intelligence service was accompanied by an announcement of broader U.S. government efforts to establish a framework for “responsible state behavior in cyberspace.”
The Biden White House, which has consistently stated it will respond to the SolarWinds hack at a time and place of its choosing, is reserving the right to take additional action in the future.
“We will continue to hold Russia accountable for its malicious cyber activities, such as the SolarWinds incident, by using all available policy and authorities,” it said in its statement Thursday.
Not all U.S. government actions against Russia on Thursday were made public. According to a second Biden administration official speaking to reporters on Thursday morning, the government is responding in ways “that will remain unseen.”
Read more from Yahoo News: