U.S. government accuses Russian companies of recruiting spies, hacking for Moscow

Written by

The Biden Administration took a sideswipe at the Russian government’s network of companies it allegedly relies on to conduct intelligence and military hacking Thursday — part of a broader effort to beat back Russian government hacking and information operations targeting Americans, the U.S. private sector and the federal government.

In one of the most striking actions the Biden administration took Thursday, the U.S. Treasury Department sanctioned Positive Technologies, a cybersecurity firm headquartered in Moscow. According to the Treasury Department, Positive Technologies may appear to be a regular IT firm, but it actually supports Russian government clients, including the Federal Security Service.

The firm also “hosts large-scale conventions that are used as recruiting events for the FSB and GRU,” the Treasury Department said, referring to the Federal Security Service (FSB) and Russia’s Main Intelligence Directorate (GRU).

U.S. intelligence documents show that the company has gone even further at times and has been supplying Russian intelligence with offensive hacking tools, knowledge and offensive operations, according to MIT Technology Review.

The administration’s announcement comes as part of a broader effort from the Biden administration to hold Russia accountable for the SolarWinds breach — in which the government blamed Russia’s Foreign Intelligence Service (SVR) hackers for lacing malicious code in a software update federal contractor SolarWinds — as well as other malign activity. The U.S. government also revealed some details on what it said were SVR’s latest hacking tactics it is using to target the U.S. defense industrial base. Those revelations are an attempt to kneecap active cyberattack campaigns.

The Russian government has often relied on cybercriminals’ skills and hacking campaigns to support government espionage goals, indictments show. But the administration’s efforts to reveal the Russian tech sector’s ties with the government’s hacking campaigns stand to expose an oft-rumored Russian espionage network with far-reaching tentacles into the world of contractors and billion dollar firms, a network that can obscure who is really behind cybersecurity work emanating from Russia.

CyberScoop has previously covered research issued by Positive Technologies and its researchers. In one curious case, the U.S. Department of Defense’s offensive cyber arm, Cyber Command, publicly urged American system administrators to patch a vulnerability a Positive Technologies researcher disclosed. The allegedly FSB-linked company has uncovered and disclosed a handful of vulnerabilities over the years, including bugs in a popular software made by Citrix and in Palo Alto Networks operating system.

The sanctions announcement covers six Russian tech sector entities in all. Other entities the Biden administration also identifies as working for the Russian government’s hacking goals include ERA Technopolis, which has supported the GRU’s cyber and information operations. 

The Treasury Department also called out Neobit, a St. Petersburg-based IT firm, and AST, a Russian IT security firm, for working on cyber-operations run by the FSB, GRU and SVR.

Pasit, an IT company, and SVA, a research institute, have also worked on behalf of the Russian government’s hacking operations by conducting research for SVR in particular, according to the Treasury.

Treasury Secretary Janet Yellen said in a statement that the announcement is intended to “impose costs on the Russian government for its unacceptable conduct, including by limiting Russia’s ability to finance its activities and by targeting Russia’s malicious and disruptive cyber capabilities.”

The Biden administration’s actions are expected to hit Russia from multiple angles. Beyond attributing the SolarWinds hack to SVR (whose hacking shop is known APT29 or Cozy Bear) and sanctioning the companies working for Moscow, the U.S. government is expelling 10 Russian officials from Moscow’s diplomatic mission in Washington, D.C.

FireEye CEO Kevin Mandia noted that identifying these companies will help the firm better run cyber defensive operations.

“Simply naming the SVR, as well as the corporations that support it will inform our defense,” said Mandia, whose company’s red team tools SVR hackers reportedly stole as part of their SolarWinds hacking operation.

Tamping down Moscow’s disinfo

The U.S. government’s efforts to call out companies working on behalf of Russian government hacking and information operations is just the tip of the spear. The Treasury Department also accused a series of other companies of working on behalf of the FSB, GRU and SVR to conduct Russian government disinformation operations.

SouthFront is a Russia-based online disinformation shop that pushed allegations of voter fraud in the 2020 U.S. presidential election on behalf of the FSB, according to Treasury. NewsFront, a Crimea-based propaganda site that also worked for FSB, has been spreading false information about the coronavirus vaccine, the sanctions announcement states.

Facebook has previously taken down posts linked to SouthFront and NewsFront, which it said was part of a broader network of spreading misinformation run by “individuals in Russia” and the Donbass region in Ukraine.

Some of the sanctions identify individuals and digital currency addresses linked with Russian government’s troll farm, the Internet Research Agency, which the U.S. government has accused of spreading information operations online meant to sow division and discord in American politics. Many of the sanctions identify individuals that are accused of being linked to Yevgeniy Prigozhin, the Russian oligarch accused of backing the IRA.