It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US

And Positive Technologies has been slapped with American sanctions

Russia’s infamous APT 29, aka Cozy Bear, was behind the SolarWinds Orion attack, the US and UK governments said today as America slapped sanctions on Russian infosec companies as well as expelling diplomats from that country’s US embassy.

One of the sanctioned companies is Positive Technologies, familiar in the West for, among other things, in-depth research exposing vulnerabilities in Intel’s hardware security architecture.

Formal attribution of the SolarWind hacks, echoing tentative findings made by Kaspersky Lab, came in a US Treasury Department statement issued this afternoon.

The compromise saw Russian state intelligence operatives carefully compromise the build systems of SolarWinds’ network monitoring software Orion to distribute a backdoor into its 18,000 customers. Those customers included the UK and US governments, among many others.

We see what Russia is doing to undermine our democracies

“The Russian Intelligence Services’ third arm, the SVR, is responsible for the 2020 exploit of the SolarWinds Orion platform and other information technology infrastructures. This intrusion compromised thousands of US government and private sector networks,” said the US Treasury.

The American attribution was echoed by the British government with Foreign Secretary Dominic Raab saying in a statement: “We see what Russia is doing to undermine our democracies. The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.”

The US Defence Department added: "Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse."

The NCSC also said in a public statement that “the overall impact on the UK of the SVR’s exploitation of this software is low.” Government departments have refused to even talk about the impact of the Orion compromise despite it being in widespread use around Whitehall and further afield, lending credibility to the notion that was more widely hit by the breach than it wants to admit.

Illustration of missiles with the US and Russian flags

US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor


Paul Prudhomme, head of Threat Intelligence Advisory at threat intel biz IntSights told The Register: “The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups. It nonetheless remains unclear what specific data points enabled the attribution to the Russian APT29 in particular with such a high level of confidence."

Positive Technologies sanctions

The US has sanctioned five Russian cyber security companies for their involvement with the Russian state’s cyber attacks against the West. Chief among those is Positive Technologies, which has a fair-sized UK presence and targets the telecoms industry among other sectors.

“Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU,” said the US Treasury.

Its international biz website says it was "spun out from the telecom division of Positive Technologies in 2019, as a separate business entity based out of Switzerland and headquartered in the United Kingdom."

The firm has a global presence and has seemingly played down its Russian roots in the West, though a corporate slide deck on its website states it was founded with six employees in Moscow in 2002, originating from the old Xspider antivirus tool.

The company has also carried out legitimate security research in accordance with Western norms and which it has published for all to read; many of those were covered on The Register, including probing of rival Russian infosec firm Kaspersky’s security software and longstanding vulns in GPRS, the 2G data transmission protocol.

One area Positive has special interest in within the UK is telecoms, raising fears of a second Huawei-style situation emerging as a sanctioned company finds itself in the middle of a political bunfight. We have asked all of the UK’s mobile network operators whether they are customers of Positive and will be reporting further if the answer is "yes."

We have asked Positive for comment on the sanctions and will update this article when it responds.

Other sanctioned outfits included ERA Technopolis, aka Pasit; Neobit, an infosec firm which was also the alma mater for a Russian spy who sneaked into Microsoft back in 2010; the Russian state compsci research institution; and a Russian business called Advanced System Technology AO.

US persons are banned from doing business with any of the above. ®

Similar topics

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022