SolarWinds Hackers Stole US Sanctions Data – Report

Russian internet © Pavel Ignatov Shutterstock 2012

SolarWinds hackers linked to Russia’s SVR intelligence service sought information on US sanctions policies and American counter-intelligence operations

The suspected Russian hackers who used software from SolarWinds and Microsoft had specific goals to seek out sensitive data from the US government.

This is according to a Reuters report, which cited people involved in the investigation as its source. Officials in the United States blame Russia’s SVR foreign intelligence service for the SolarWinds hack.

The SVR had been identified earlier this year as being responsible, as it is linked to APT29 or Cozy Bear, thought to be behind the attack.

Russian hackers

The SVR hackers successfully penetrated US government agencies last year in order to gather data about US counter-intelligence investigations, the US policies on sanctioning Russian individuals, and the country’s response to Covid-19, Reuters reported.

Until now, little has been disclosed as to what the hackers were actually seeking.

Matters have not been helped by the reluctance of some publicly traded companies to explain their exposure.

There is no doubt the campaign alarmed US officials with its sophistication, stealth and careful staging – all classic signs of nation-state involvement.

It has been previously reported the hackers breached unclassified Justice Department networks and read emails at the departments of treasury, commerce and homeland security.

Nine federal agencies were breached in total.

Specific data

The hackers also reportedly stole digital certificates used to convince computers that software is authorised to run on them and source code from Microsoft and other tech companies.

One of the people involved told Reuters that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.

In an annual threat-review paper released on Thursday, Microsoft reportedly said the Russian spies were ultimately looking for government material on sanctions and other Russia-related policies, along with US methods for catching Russian hackers.

Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, said the company drew its conclusions from the types of customers and accounts it saw being targeted.

In such cases, she told Reuters, “You can infer the operational aims from that.”

Others who worked on the government’s investigation went further, and told Reuters they could see the terms that the Russians used in their searches of US digital files, including “sanctions.”

Chris Krebs, the former head of US cyber-defense agency CISA and now an adviser to SolarWinds and other companies, said the combined descriptions of the attackers’ goals were logical.

“If I’m a threat actor in an environment, I’ve got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense,” Krebs was quoted as saying.

The second thing is to learn how the target responds to attacks, or “counter-incident response,” he reportedly said: “I want to know what they know about me so I can improve my tradecraft and avoid detection.”

SolarWinds compromise

The SolarWinds issue began last year, when the hackers inserted backdoor code into SolarWinds’ Orion platform in March 2020 (or possibly earlier according to one US senator).

The hackers then used this exploit to access the systems of at least half-a-dozen US federal agencies, as well as potentially thousands of private firms before the attack was discovered in December 2020.

In March 2021 it was revealed that the SolarWinds hackers had even obtained access to the then-head of the US’ Department of Homeland Security and members of the department’s cybersecurity staff.

The full scale of the US government compromise is still being investigated, but just before Christmas 2020, US Senator Ron Wyden revealed that dozens of email accounts at the US Treasury Department had been compromised.

Microsoft also admitted that the SolarWinds hackers had actually accessed and viewed source code repositories within Redmond.

Microsoft had previously disclosed that it, like thousands of other companies, made internal use of the software used in the attack, namely SolarWinds’ Orion network management software.

Last month the US financial regulator, the Securities and Exchange Commission (SEC), began a large-scale probe into the effects of the SolarWinds hack.

The SEC probe was prompted by the reluctance of some publicly traded companies to explain their SolarWinds exposure.