Britain has accused Russia‘s foreign intelligence agency of responsibility for a major cyber attack affecting thousands of organisations in the West.
The Foreign, Commonwealth and Development Office (FCDO) said it had been assessed that it was ‘highly likely’ that the SVR was behind the so-called SolarWinds hack.
It came as Joe Biden said he was expelling 10 Russian diplomats in response to the Kremlin’s targeting of federal agencies and attempts to interfere in last year’s presidential election.
Foreign Secretary Dominic Raab said the UK and US were determined to stand together against what he described as Russia’s ‘malign behaviour’.
Foreign Secretary Dominic Raab said the UK and US were determined to stand together against what he described as Russia’s ‘malign behaviour’
How hackers used legitimate software to carry out ‘biggest hack in US history’
The US Cybersecurity and Infrastructure Security Agency has released an alert detailing what it knows about the breach.
CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products.
Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.
The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.
Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.
The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult.
‘Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,’ CISA said in the alert.
‘We see what Russia is doing to undermine our democracies,’ he said in a statement.
‘The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.
‘The UK will continue to work with allies to call out Russia’s malign behaviour where we see it.’
The compromise of the SolarWinds IT services firm – discovered last December – is thought to represent one of the most serious cyber espionage attacks suffered by the US.
Russian hackers are believed to have infected its widely used Orion software with a malicious code enabling them to access the systems of at least nine US agencies and 18,000 organisations worldwide, including Nato and the European Parliament.
The FCDO said the impact in the UK had been assessed by the National Cyber Security Centre (NCSC) – part of GCHQ – as ‘low’ with a ‘low single digit number’ of public sector bodies having been targeted.
It said the Government had been working with the affected organisations to ensure they were ‘rapidly mitigated’.
According to the NCSC assessment, the attack was carried out by a group of hackers known as Cozy Bear or The Dukes, which the FCDO said were linked to the SVR.
It said that it was part of a ‘wider pattern of cyber intrusions’ by the Russian spy agency dating back at least a decade.
In addition to the expulsion of the diplomats, the US administration said it was imposing sanctions on six Russian companies which supported Moscow’s cyber activities and 32 individuals and entities accused of attempting to interfere in last year’s presidential election.
A further eight people and entities linked to Russia’s occupation of Crimea also face sanctions.
US Secretary of State Antony Blinken said: ‘These actions are intended to hold Russia to account for its reckless actions. We will act firmly in response to Russian actions that cause harm to us or our allies and partners.’
The FCDO said the impact in the UK had been assessed by the National Cyber Security Centre (NCSC) – part of GCHQ (pictured) – as ‘low’ with a ‘low single digit number’ of public sector bodies having been targeted
In response, Russian Foreign Ministry spokeswoman Maria Zakharova warned that America’s ‘aggressive behaviour’ would ‘undoubtedly trigger a resolute retaliation’.
‘Washington should realise that it will have to pay a price for the degradation of the bilateral ties,’ she said. ‘The responsibility for that will fully lie with the United States.’
She said the foreign ministry had summoned the US ambassador for a ‘hard conversation’ but gave no further details of what actions would follow.
The latest exchanges come amid rising tension between Washington and Moscow following a build-up of Russian forces on the border with Ukraine – seen by some analysts as an attempt by the Kremlin to test the resolve of the new US president.
In a telephone call earlier this week, Mr Biden warned Russian President Vladimir Putin that the US would ‘act firmly in defence of its national interests’.