Security News > 2021 > April > It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US

Russia's infamous APT 29, aka Cozy Bear, was behind the SolarWinds Orion attack, the US and UK governments said today as America slapped sanctions on Russian infosec companies as well as expelling diplomats from that country's US embassy.

"The Russian Intelligence Services' third arm, the SVR, is responsible for the 2020 exploit of the SolarWinds Orion platform and other information technology infrastructures. This intrusion compromised thousands of US government and private sector networks," said the US Treasury.

The US Defence Department added: "Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language authentication abuse."

Paul Prudhomme, head of Threat Intelligence Advisory at threat intel biz IntSights told The Register: "The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups. It nonetheless remains unclear what specific data points enabled the attribution to the Russian APT29 in particular with such a high level of confidence."

The US has sanctioned five Russian cyber security companies for their involvement with the Russian state's cyber attacks against the West.

"Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU," said the US Treasury.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/15/solarwinds_hack_russia_apt29_positive_technologies_sanctions/