SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack

US agencies NSA, FBI and CISA, along with the UK's NCSC, accuse 'Cozy Bear' Russian APT group of campaigns against SolarWinds. Organisations are urged to patch the five VPN and cloud vulnerabilities being exploited in ongoing attacks.
Written by Danny Palmer, Senior Writer

Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber-espionage campaigns targeting COVID-19 research facilities and more, according to the United States and the United Kingdom.

The US accusation comes in a joint advisory by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), which also describes ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities in VPN services.

The UK has also attributed the attacks to the Russian intelligence service.  

SEE: Network security policy (TechRepublic Premium)

The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies including FireEye and Mimecast.

Now the US has publicly attributed the SolarWinds attacks to Russian Foreign Intelligence Service (SVR) actors -- also known as APT29, Cozy Bear, and The Dukes by cybersecurity researchers -- along with additional campaigns, including malware attacks targeting facilities behind COVID-19 vaccine development.

The five vulnerabilities being targeted by cyber attackers are:

Security patches are available to fix each of the vulnerabilities and organisations yet to apply them to their network are urged to do so as soon as possible in order to prevent further attacks.

SEE: The best free VPNs: Why they don't exist 

"NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations," said the cybersecurity advisory.


The attribution of the SolarWinds attack comes as the Biden administration issued sanctions against Russia in response to what's described as "harmful activities by the Government of the Russian Federation". The financial sanctions specifically mention "malicious" cyber activities by Russian actors, including the SolarWinds cyber attack.  

The UK has also called out the attacks targeting SolarWinds, and is urging organisations to take note, with the National Cyber Security Centre (NCSC) assessing that it's highly likely the SVR was responsible for gaining unauthorised access to SolarWinds 'Orion' software.

SEE: Ransomware: Why we're now facing a perfect storm

"The UK and US are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action," said UK foreign secretary Dominic Raab.  

A recent alert by the UK's National Cyber Security Centre (NCSC) warned users who hadn't yet applied the security patch to the Fortinet FortiGate vulnerability -- which was released in 2019 --  to assume their network has been compromised by cyber attackers and to take the appropriate action necessary.


Editorial standards