On April 15, 2021, the Biden Administration took a significant step in announcing sanctions against the Russian Government and private Russian entities for multiple internationally-destabilizing activities, including the Russian Foreign Intelligence Service’s (SVR) supply chain attack of the SolarWinds Orion platform and other technology infrastructures.
In addition to the sanctions, the Administration also provided practical technical guidance for companies to harden their networks against current Russian attacks through a joint advisory from The National Security Agency (NSA), the Cybersecurity & Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).
It will take time (and further analysis) for companies to fully unpack and implement the technical guidance in the joint advisory. But the sanctions alone may be a bellwether for the Biden Administration’s approach to cybersecurity enforcement on the international stage.
The Administration expressly links this activity to Russian intelligence actors. Citing “high confidence” from the U.S. Intelligence Community, the United States formally identified SVR as the source of the SolarWinds supply chain attack. This follows the example set by the Trump Administration when it identified the 2017 NotPetya attacks as originating from Russia’s military intelligence services. Affirmatively linking the activity to a specific nation state furthers another goal of the Biden Administration’s sanctions however. It focuses efforts to “incorporate additional allies, including the UK, France, Denmark, and Estonia” for a “global cybersecurity approach.” In other words, the Biden Administration appears to believe it is easier to build a coalition of allies when there is a clear, known common opponent.
The Administration confirms the massive scope of SVR’s activities. It states the SolarWinds Orion vulnerability gave the SVR the ability to spy on more than 16,000 computer systems worldwide. It also links the SVR’s activities to five additional vulnerabilities discovered in other well-known products from the virtualization, VPN, and network infrastructure sectors. While it does not provide numbers associated with these additional vulnerabilities, the expansion of the number of vulnerabilities associated with the SVR indicates an even more far reaching attack than originally believed.
These sanctions are for cyber espionage activity – a new sanctions trigger in the cyber arena. While lumped in with election destabilization and other international activities, the bulk of the sanctions are ostensibly a reaction to the SolarWinds attack and related cybersecurity concerns. However, unlike NotPetya or other damaging cyber-attacks, SolarWinds was an espionage operation rather than an operation designed to disrupt or damage global systems. And past administrations have tried to promote international agreement that while theft or damage might prompt sanctions, pure cyber espionage would not. While the Administration tries to emphasize that the SolarWinds attack allowed the SVR to “potentially disrupt” global computer systems meaning this compromise was both a “national security and public safety concern,” it does not point to any actual disruption. Rather, the Biden Administration sees the disruption as the cost born by private industry to clean up and remediate the attack. Regardless, it seems the attacker’s goals were information gathering—not damaging or disrupting government and private networks.