US sanctions six tech firms for supporting Russian intelligence services

Named firms are Positive Technologies, ERA Technopolis, Neobit, Advanced System Technology (AST), Pasit and SVA

The US Treasury Department on Thursday sanctioned six Russian technology firms for aiding government hackers engaged in "dangerous and disruptive cyber attacks".

The Department said that these six firms have been developing infrastructure and tools, providing expertise, and carrying out malicious cyber activities on behalf of Kremlin Intelligence Services.

The firms that were named by the Treasury Department are: Pozitiv Teknolodzhiz (Positive Technologies), ERA Technopolis, Neobit, Advanced System Technology (AST), Pasit and SVA.

"These companies are being designated for operating in the technology sector of the Russian Federation economy," the White House said in a statement.

"We will continue to hold Russia accountable for its malicious cyber activities, such as the SolarWinds incident, by using all available policy and authorities."

According to The Treasury, Positive Technologies "hosts large-scale conventions that are used as recruiting events" for the Russia's Federal Security Service (FSB) and Main Intelligence Directorate (GRU).

The company hosts 'Positive Hack Days' event in Moscow every year, where hobbyist hackers and chief security officers from across the world are asked to demonstrate skills in hacking.

Positive Technologies has also helped many firms in past years find and address weaknesses in their products, including vulnerabilities in Microsoft Windows and Intel chips.

ERA Technopolis is a research centre that is operated by the Russian Ministry of Defence and provides support to GRU units "responsible for offensive cyber and information operations".

According to US agencies, ERA Technopolis leverages the expertise of the Russian technology sector to develop military and dual-use technologies.

Pasit is a Russian IT firm carries research to support malicious cyber operations of Russia's Foreign Intelligence Service (SVR).

On Thursday, the US also formally named the SVR as the perpetrator of the cyber espionage campaign that exploited the SolarWinds Orion platform and other IT infrastructures in the US. The White House said that the US intelligence community has high confidence that SVR, also known as Cozy Bear, APT 29, and The Dukes, was behind the SolarWinds attacks.

The SolarWinds hack, which affected as many as 16,000 US firms, was disclosed in December, after the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA) were found to have been compromised in a massive cyber campaign.

Cyber security firm FireEye revealed that the attackers compromised SolarWinds' network monitoring software Orion by "inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim's environment".

At least nine federal agencies and dozens of private firms were hacked as a result of the attack.

Last month, Associated Press cited current and former government officials to claim that the SolarWinds hackers had also breached email accounts belonging to Chad Wolf, former acting head of the DHS, and other senior members of the DHS's cybersecurity division (CSD).

On Thursday, the FBI, National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory to warn organisation of five publicly known vulnerabilities that were being exploited by Russian SVR to target US and allied networks.

The advisory detailed various steps that admins can take to protect their systems against the SVR's malicious cyber activities.

"We are publishing this product to highlight additional tactics, techniques, and procedures being used by SVR so that network defenders can take action to mitigate against them," the advisory stated.

"Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors."