Biden Admin Names 6 Russian Tech Firms Aiding Gov’t Hackers

The six companies are accused by the U.S. Treasury Department of providing expertise, developing tools and infrastructure, and facilitating malicious cyberattacks on behalf of Russian Intelligence Services.

The Biden administration issued sanctions against six Russian technology companies for helping the country’s intelligence agencies carry out malicious cyber activities including the SolarWinds hack.

The private and state-owned companies were accused Thursday by the U.S. Department of the Treasury of enabling the Russian Intelligence Services’ cyber activities. The six companies support the Russian Federal Security Service (FSB), Main Intelligence Directive (GRU) and Foreign Intelligence Service (SVR) by providing expertise, developing tools and infrastructure, and facilitating malicious cyberattacks.

“The U.S. Department of the Treasury is announcing sanctions against … companies that support the malign activities of the Russian intelligence services responsible for the SolarWinds intrusion and other recent cyber incidents,” Antony Blinken, U.S. Secretary of State, said in a press statement Thursday. “These sanctions will serve to reduce Russian resources available to carry out similar malign activities.”

[Related: U.S. Plans Russian Sanctions For SolarWinds Breach: Report]

The six Russian tech companies sanctioned by the U.S. Treasury Department are: Positive Technologies; AST; Neobit; Pasit; SVA; and ERA Technopolis. Positive Technologies is accused of hosting large-scale conventions that are used as recruiting events for the FSB and GRU and providing network security solutions to foreign governments, Russian businesses and Russian government clients, including the FSB.

AST allegedly provided technical support to cyber operations conducted by the FSB, GRU and SVR, and counts the Russian Ministry of Defense, SVR and FSB among its client base, the Treasury Department said. Meanwhile, Neobit conducted research and development in support of the cyber operations conducted by the FSB, GRU, and SVR, and has the Russian Ministry of Defense as a client, Treasury said.

Treasury accused Pasit of conducting research and development in support of the SVR’s malicious cyber operations, and SVA of conducting research and development in support of the SVR’s malicious cyber operations. SVA is a Russian state-owned research institute specializing in advanced systems for information security, according to the U.S. Treasury Department.

Finally, Russian Ministry of Defense operated ERA Technopolis stands accused of housing and supporting GRU units responsible for offensive cyber and information operations. The research center and technology park leverages the personnel and expertise of the Russian technology sector to develop military and dual-use technologies, according to the U.S. Treasury Department.

“We will continue to hold Russia accountable for its malicious cyber activities, such as the SolarWinds incident, by using all available policy and authorities,” the White House wrote in a statement Thursday. The Biden administration also formally named the SVR - also known as APT 29 or Cozy Bear – at the perpetrator of the SolarWinds hacking campaign, which disrupted more than 16,000 computer systems.

The SVR’s compromise of SolarWinds highlights the risk posed by Russia’s effort to target companies worldwide through supply chain exploitation, according to the White House. The colossal hack should serve as a warning about the risks of using technology supplied by companies that operate or store user data in Russia or rely on software development or remote technical support from personnel in Russia.

The U.S. government is evaluating whether to take further action under a May 2019 executive order to better protect America’s supply chain from further exploitation by Russia, according to the White House.

“The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers,” the U.S. Treasury Department wrote. “This incident will cost businesses and consumers in the United State and worldwide millions of dollars to fully address.”

The SVR has exploited five publicly known software vulnerabilities to gain initial footholds on victim devices are networks, according to a joint cybersecurity advisory issued Thursday by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the FBI. From there, the SVR scans vulnerable systems to obtain authentication credentials that allow further access.

The first vulnerability being actively exploited by SVR actors can be found in certain versions of Fortinet FortiOS and allows unauthenticated attackers to download system files via special crafted HTTP resource requests. The second is an External Entity injection (XXE) vulnerability found in the Synacor Zimbra Collaboration Suite, according to the NSA, CISA and the FBI.

The third vulnerability is found in some versions of Pulse Connect Secure and allows unauthenticated remote attackers to perform arbitrary file reads. The fourth is found is certain versions of Citrix Application Delivery Controller and Gateway and allows directory traversal. And the fifth is a command injection vulnerability in VMware Workspace One Access, Access Connector, and Identity Manager.

“Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” the FBI wrote in a press release Thursday. “We are publishing this product to highlight additional tactics, techniques, and procedures being used by SVR so that network defenders can take action to mitigate against them.”

A Fortinet spokesperson told CRN that the security of its customers is the company’s first priority. “If customers have not done so, we urge them to immediately implement the upgrade and mitigations,” Fortinet said.

Ivanti bought Pulse Secure in December 2020 for a reported $530 million, and said it regularly works with Pulse Secure customers to rapidly install available patches that address previously known vulnerabilities. VMware said it issued a security patch for the Workspace ONE vulnerability on Dec. 3, 2020, and encourages all customers to apply the latest product updates, security patches and mitigations.

Synacor and Citrix didn’t respond to CRN requests for comment.