U.S. government formally blames Russian spies for SolarWinds breach

Jenna McLaughlin
·National Security and Investigations Reporter
·4 min read

WASHINGTON — The White House Thursday morning accused the Russian Foreign Intelligence Service, or SVR, of orchestrating the recent massive breach that affected private sector networks and U.S. government agencies through the popular IT monitoring software made by SolarWinds.

The statement linking the SVR’s hacking group, also known as “Cozy Bear,” to the “broad-scope cyber espionage campaign” is the most concrete connection the Biden administration has made between the hack and Russia. The damage was first uncovered in the final days of the Trump administration, which described the attack as “likely Russian.”

The SolarWinds logo is seen outside its headquarters in Austin, Texas, U.S., December 18, 2020. (Sergio Flores/Reuters)
SolarWinds headquarters in Austin, Texas. (Sergio Flores/Reuters)

“The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide,” according to the White House statement, which also included a number of measures directed against the Russian government for a range of malign activities in addition to the SolarWinds breach. “The scope of this compromise is a national security and public safety concern,” the White House said.

According to the White House, the U.S. intelligence community, which has been investigating the breach, has “high confidence” that the SVR is the culprit. That's the strongest level of certainty the community uses in describing its assessments.

During a recent webinar, Anne Neuberger, the deputy national security adviser for cyber and emerging technology and President Biden’s top cyber adviser, warned that the SolarWinds breach, while clearly a sophisticated espionage campaign designed to leave no trace, could “in a moment” become something more serious. Hackers could use that access to launch a destructive attack, or publicly release the data they stole, as when Russian intelligence agencies dumped broad troves of emails belonging to Democrats during the 2016 U.S. presidential election.

In a joint advisory Thursday morning, the National Security Agency, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released technical details about vulnerabilities being exploited by the SVR, in order to allow affected companies and agencies to patch their software. The release focused on “publicly known vulnerabilities,” or flaws in code that have already been made public but that adversaries can continue exploiting when users fail to patch them.

Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, speaks during a press briefing on February 17, 2021, in the Brady Briefing Room of the White House in Washington, DC. (Saul Loeb/AFP via Getty Images)
Anne Neuberger, deputy national security adviser for cyber and emerging technology, at a press briefing on Feb. 17. (Saul Loeb/AFP via Getty Images)

The government's Thursday announcement included sanctions against multiple companies involved in providing technical support or resources to the SVR, as well as the broader recommendation that anyone using software or hardware with ties to Russia reconsider that decision.

According to a senior administration official who spoke with journalists Thursday morning, the U.S. government has already mandated that the nine government agencies affected by the SolarWinds breach ramp up cybersecurity standards. The White House is also planning to move forward with other measures soon, including an executive order on protecting federal networks, which will require companies that sell software products to the U.S. government to do cybersecurity reviews and report breaches.

The SolarWinds breach has led to a debate about whether the NSA, which focuses on foreign networks, requires additional authority in order to monitor domestic networks so as to detect anomalous activity such as this breach. Without the initial identification of the breach by the cybersecurity company FireEye, which was among its victims, it’s unclear when the U.S. government would have learned of the vulnerability being exploited by the SVR.

While intelligence officials have told lawmakers they are not requesting additional authority to look into U.S. networks, NSA Director Paul Nakasone has made clear there is a “gap” in visibility that the agency needs to find ways around, in particular through partnership with the private sector. But it’s unclear whether additional visibility into U.S. networks would have allowed the NSA to make quicker detection regardless, experts have speculated, particularly because the DHS’s own systems tracking U.S. networks didn’t detect the well-disguised breach.

The announcement of formal attribution to the Russian intelligence service was accompanied by an announcement of broader U.S. government efforts to establish a framework for “responsible state behavior in cyberspace.”

U.S. President Joe Biden speaks from the Treaty Room in the White House about the withdrawal of U.S. troops from Afghanistan on April 14, 2021 in Washington, DC. (Andrew Harnik-Pool/Getty Images)
President Biden speaks from the White House on Wednesday about the withdrawal of U.S. troops from Afghanistan. (Andrew Harnik-Pool/Getty Images)

The Biden White House, which has consistently stated it will respond to the SolarWinds hack at a time and place of its choosing, is reserving the right to take additional action in the future.

“We will continue to hold Russia accountable for its malicious cyber activities, such as the SolarWinds incident, by using all available policy and authorities,” it said in its statement Thursday.

Not all U.S. government actions against Russia on Thursday were made public. According to a second Biden administration official speaking to reporters on Thursday morning, the government is responding in ways “that will remain unseen.” 


Read more from Yahoo News: