Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting Covid-19 research facilities and more, according to the United States and the United Kingdom.
The US accusation comes in a joint advisory by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), which also describes ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities in VPN services.
The UK has also attributed the attacks to the Russian intelligence service.
The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies including FireEye and Mimecast.
Now the US has publicly attributed the SolarWinds attacks to Russian Foreign Intelligence Service (SVR) actors — also known as APT29, Cozy Bear, and The Dukes by cybersecurity researchers — along with additional campaigns, including malware attacks targeting facilities behind Covid-19 vaccine development.
The five vulnerabilities being targeted by cyber attackers are:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Security patches are available to fix each of the vulnerabilities and organisations yet to apply them to their network are urged to do so as soon as possible in order to prevent further attacks.
“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” said the cybersecurity advisory.
The attribution of the SolarWinds attack comes as the Biden administration issued sanctions against Russia in response to what’s described as “harmful activities by the Government of the Russian Federation”. The financial sanctions specifically mention “malicious” cyber activities by Russian actors, including the SolarWinds cyber attack.
The UK has also called out the attacks targeting SolarWinds, and is urging organisations to take note, with the National Cyber Security Centre (NCSC) assessing that it’s highly likely the SVR was responsible for gaining unauthorised access to SolarWinds ‘Orion’ software.
“The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action,” said Foreign Secretary Dominic Raab.
A recent alert by the UK’s National Cyber Security Centre (NCSC) warned users who hadn’t yet applied the security patch to the Fortinet FortiGate vulnerability — which was released in 2019 — to assume their network has been compromised by cyber attackers and to take the appropriate action necessary.
MORE ON CYBERSECURITY
- Cybersecurity: How to get your software patching strategy right and keep the hackers at bay
- Most applications today are deployed with vulnerabilities, and many are never patched
- These software bugs are years old. But businesses still aren’t patching them
- Congress confronts US cybersecurity weaknesses in wake of SolarWinds hacking campaign
- SolarWinds: The more we learn, the worse it looks