The Biden administration is taking the Russian cyber operations ecosystem to task with sanctions pointed at both established Russian companies as well as Russian-controlled entities created by the FSB, GRU and SVR for operational purposes. Coupled with the U.S. Treasury sanctions, a joint advisory from CISA, NSA and the FBI identified the SVR (Russian Foreign Intelligence Service) as being responsible for the SolarWinds supply chain compromise. The advisory lays bare the “tactics, techniques and procedures used by the SVR.”
SVR Cyber Operations
The joint advisory points to five publicly known vulnerabilities which the SVR and their cyber actors are exploiting to gain footholds into targeted networks. They also highlighted the SVR’s ongoing efforts to continuously scan and target the United States government, and by extension, those entities supporting the government, for opportunities to exploit identified weaknesses. The SVR-associated actors are well-known in the cybersecurity world as APT29, Cozy Bear and The Dukes. The advisory recommended taking note of the techniques used by the SVR and to remediate any exploitable vulnerabilites immediately.
Meanwhile, Treasury also named the SVR (per above) and both the GRU and the FSB in their sanctions announcements. The SVR’s malevolent actions are directly associated with the SolarWinds supply chain attack. They also lifted red-team tools from FireEye. Additionally, the FSB has had their finger in the efforts to undermine the national infrastructure of both the Ukraine and Georgia. Finally, it is the FSB who directs the efforts to compromise and collect information against Russian journalists and dissidents, U.S. government personnel and “millions of private citizens around the world.” Interestingly, it is also the FSB who facilitated the advancement of a criminal hacking group, “previously designated as Evil Corp,” in support of targeted phishing attacks. The GRU, for their part, have seen a number of their personnel indicted in the United States, and are linked with ownership of the NotPetya and Olympic Destroyer malware, as well as “hack-and-leak” operations targeting the elections of both France and the United States.
Russian Tech Companies Sanctioned
- ERA Technopolis – A technology park operated by the Russian Ministry of Defense which houses and supports many of the GRU cyber operations teams;
- Pasit, AO – Conducts research and development for the SVR’s cyber ops;
- Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation – A state-run entity conducting research and development primarily for the SVR’s cyber ops;
- Neobit, OOO – Provides operational support to the SVR, GRU and FSB. The firm also conducts research and development for the Russian intelligence community;
- Advanced System Technology, AO – Supports the Russian Ministry of Defense, the SVR, GRU and FSB in their role as an IT security firm; and
- Pozitiv Teknolodzhiz, AO – Actively supports the FSB and provides services to the Russian government, as well as foreign governments and international companies, and is active in the recruitment of personnel for the FSB and GRU.
Treasury wasn’t done. They then went on to sanction multiple disinformation outlets, created by the Russian intelligence apparatus. These entities were identified as:
- SouthFront – A disinformation site which receives tasking from the FSB.
- NewsFront – A Crimea-based disinformation and propaganda outlet that worked with FSB officers.
- Strategic Culture Foundation – And online journal, operating under SVR direction, with Russian Ministry of Foreign Affairs input. Treasury notes that the entity is “controlled by the SVR’s Directorate MS (Active Measures).”
- InfoRos – A “news agency” controlled and operated by the GRU’s 72nd Main Intelligence Information Center (GRITs). The entity operates under two organizational names, “InfoRos, OOO” and “IA InfoRos.”
Yevgeniy Prigozhin and Konstantin Kilimnik
Yevgeniy Prigozhin’s Saint Petersburg, Russia-based Internet Research Agency is well known, but his other entities, including third parties hired to assist the efforts of Prigozhin’s efforts, are less so. The plethora of companies and individuals supporting Prigozhin-directed influence operations was impressive and far reaching. These identified entities, and the individuals associated with them are:
- Foundation for National Values Protection – Conducted global influence operations targeted at the U.S. electoral process.
- Association for Free Research and International Cooperation and International Anticrisis Center – Two entities which focused their efforts on Africa and Europe and created “phony election monitoring missions.”
- Trans Logisitik, OOO and OOO Yunidzhet – Provided covert procurement services in support of Prigozhin.
- Second Eye Solution – A Pakistani firm specializing in the creation of “fraudulent identities.” The company created digital fakes of passports, driver licenses, bank statements, utility bills and other documents needed to verify financial accounts, as well as social network accounts. Furthermore, this entity created four front companies to launder their proceeds.
Finally, Treasury provided the most direct and concrete public identification of Konstantin Kilimnik as a Russian intelligence operative who provided Russian intelligence with sensitive information on polling and campaign strategy during the 2016 U.S. presidential election.
The FBI is offering a reward of $250,000 for information leading to the arrest of either Kilimnik or Prigozhin.