The White House says Russia’s foreign intelligence service SVR was responsible for the SolarWinds hack, a claim the Russian agency dismissed as “nonsense”.
Senior US government officials had already said the Russian government was responsible for the sprawling cyber attack but Thursday’s announcement offers the first formal statement pinning the operation on a specific agency.
The White House statement was paired with a series of sanctions against five Russian cybersecurity firms which the US Treasury Department said had been involved in supporting Russian cyber operations.
While some security experts say the SolarWinds hacking operation could be viewed as a traditional espionage activity that is not uncommon between government hackers, the Treasury Department in its statement said the “scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyber operations makes it a national security concern”.
The National Security Agency, FBI and Cybersecurity Infrastructure Security Agency also said on Thursday that the SVR was exploiting five known computer software vulnerabilities.
The announcement came with links to a series of related software patches by the companies who make those products, including VMware and Fortinet.
“The vulnerabilities in today’s release are part of the SVR’s toolkit to target networks across the government and private sectors. We need to make SVR’s job harder by taking them away,” Rob Joyce, NSA director of cybersecurity, said.
Russia’s SVR called the US allegations that it was responsible for the SolarWinds hack “nonsense” and “windbaggery,” the Interfax news agency reported.