The Biden Administration announced a robust, coordinated series of punitive measures to confront Russia’s growing malign behaviour, including its massive hack of SolarWind's software, attempts to interfere with the 2020 elections, and other destructive deeds against the US.
The administration's actions levy financial sanctions on the country and the companies usually involved in malicious cyber activity against the US. It also exposes previously withheld details about the Russian ruling regime's digital and disinformation operations.
In addition to the White House, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Homeland Security, and Treasury Department all play a role in the complex set of actions against Russia.
First, President Biden signed a new sanctions executive order that strengthens authorities to "impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilising international actions."
Under the EO, the Treasury Department is implementing multiple actions to target "aggressive and harmful activities" against the Russian government, including a directive that "generally prohibits US financial institutions from participating in the primary market for ruble or non-ruble denominated bond issued after June 14, 2021."
Treasury Department targets Russian security firms and state intel organisations
The Treasury Department targets companies operating in the tech sector that it believes supports Russian intelligence services, including several cybersecurity firms. The targeted companies include ERA Technolopolis; Pasit, AO (Pasit); Federal State Autonomous Scientific Establishment Scientific Research Institute Specialised Security Computing Devices and Automation (SVA); Neobit, OOO (Neobit); Advanced System Technology, A.O. (AST); and Pozitiv Teknolodzhiz, AO (Positive Technologies).
The Treasury actions also target Russian state organisations that have implemented some of the most significant adverse cyber actions of the past five years, such as the SolarWinds hack. The organisations include the top intelligence arms of Vladimir Putin’s government, including the Federal Security Service (FSB), Russia's Main Intelligence Directorate (GRU), and the Foreign Intelligence Service (SVR).
All properties in the US of either the companies or Russian organisations are blocked. All property and interests in property of these targeted groups in the possession or control of US persons are blocked. They must be reported to OFAC, Treasury's Office of Foreign Assets Control.
Simultaneous with the White House and Treasury announcements, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI jointly released an advisory, "Russian SVR Targets US and Allied Networks," alongside proper attribution of the SolarWinds compromise to Russia. The advisory features additional tactics, techniques, and procedures being used by Russia's SVR so that network defenders can take action to mitigate against them.
The joint advisory encourages mitigation against a series of vulnerabilities involving Fortinet FortiGate VPN, Synacor Zimbra Collaboration Suite, Pulse Secure Pulse Connect Secure VPN, Citrix Application Delivery Controller, and Gateway and VMware Workspace ONE Access.
UK, NATO and EU embrace Biden's actions
Western nations echoed and embraced the White House moves. The UK government, for the first time, exposed its own details of the SVR's cyber program. NATO said its "allies support and stand in solidarity with the United States" regarding today's announced actions.
The European Union and its member states expressed "their solidarity with the United States on the impact of malicious cyber activities, notably the SolarWinds cyber operation which, the United States assesses, has been conducted by the Russian Federation."
"Certainly, this is a vast departure from the last administration that didn't really hold Russia accountable for a lot of transgressions," Christopher Painter, the former top diplomat for cybersecurity at the State Department, tells CSO. Biden's actions are "strategic; there's a recognition that maybe sanctions alone are not going to do it, but it's part of a larger group of efforts," he says. "This is a Russia-US issue. It's not just a cyber issue. We're going to act accordingly. I think that's significant."
"This wasn't just the US going it alone,” Painter continues. “This is very much true to form to what the Biden administration has talked about, working with partners, returning to multilateralism and having more of a collective response."
Trey Herr, director, Cyber Statecraft Initiative at the Atlantic Council, agrees. "This is the omnibus Russia EO we've been told was coming. It's encouraging to see the coordination of these sanctions with allies and particularly the inclusion of new partners in the Cyber Flag exercise," he said in a statement.
The Cyber Flag exercise is an event designed to improve US capabilities and resiliency in cyberspace. The administration said that the Department of Defence is taking steps to incorporate additional allies, including the UK, France, Denmark and Estonia, into Cyber Flag 21-1.
To help further recruit allies to counter malicious cyber activity, the administration plans to also develop a "first-of-its kind" course for policymakers worldwide on the policy and technical aspects of publicly attributing cyber incidents. The course will be inaugurated this year at the George C. Marshall Centre in Garmisch, Germany.
SolarWinds could have escalated into destruction, NSC says
One interesting aspect of the administration's strong response to the SolarWinds hack is the previous perception by most intelligence experts that Russia's compromise of SolarWinds falls into the category of “mere” espionage, which is something most nation-states, including the US, engage in routinely.
According to some reports, the National Security Council (NSC) said that it was worth sanctioning Russia even though the SolarWinds breach was espionage because the massive hack was overly broad in scope, could have escalated into a destructive attack, and burdened a lot of private sector defenders.
"I see nothing that would indicate that Russia meant to turn this onto a destructive attack," Painter says. "It was said as a justification, but that doesn't seem very convincing to me.
"I think they're saying espionage is fine, but when it gets too big, it's not fine. You can say that this kind of goes beyond the unwritten rules of the game. Frankly, if Russia found us in their systems like this, I think they'd respond, too."
"It's quite an escalation to have 60,000 victims with the intention of actually just targeting a much smaller group," Dr. Mike McGuire, senior lecturer in criminology at the University of Surrey and author of the just-released study sponsored by HP called Nation States, Cyberconflict and the Web of Profit, tells CSO.
"That's something that is potentially quite reckless. There have been instances of getting it wrong, like NotPetya, with repercussions trans-border. It didn't happen in this case, but it's still quite an escalation. When you're running malware on 60,000 corporate networks, intending to target a smaller number, there is always the opportunity for things to go wrong."
Cyber intrusions on the magnitude of SolarWinds "is something that the best cyber defence in the world is not going to prevent easily," Dr. Ian Pratt, global head of security at HP and co-author of the Web of Profit study, tells CSO. Moreover, unchecked supply chain attacks, even if they're merely espionage-oriented, could expand the canvas of digital wrongdoing.
"If nation-states cotton to the fact that you are going to hit them all the way down the supply chain, I don't know where that's going to lead. Cyber criminals will look at these supply chain attacks and say, 'that's an interesting, successful approach. Maybe we ought to be investigating it a little bit more as well.' And probably they already are," Pratt says.
In a late-afternoon statement from the East Room of the White House, President Biden mentioned a phone call he had with Russian President Putin earlier this week. "I made clear we would respond when we found out who had conducted the hack on the scale and scope we observed," he said. "I told him we would shortly be responding."
Regarding the EO and other associated actions, "I could have gone further, but I chose not to do so.” If Russia doesn't take heed, "I'm prepared to take further actions to respond," Biden warned.