On Thursday, the Biden administration fulfilled its repeated promises of retaliation for both the SolarWinds hacking campaign and a broad array of other Russian misbehavior that includes the Kremlin's continuing disinformation operations and other interference in the 2020 election, the poisoning of Putin political adversary Aleksey Navalny, and even older Russian misdeeds including the NotPetya worm and the cyberattack on the 2018 Winter Olympics . The Treasury Department has leveled new sanctions at six cybersecurity companies with purported ties to Russian intelligence services, as well as four organizations associated with its disinformation operations. They also specifically targeted oligarch Yevgeniy Prigozhin and Kremlin agent Konstantin Kilimnik, whom you may recall from the Mueller investigation .
The Times reported that the Biden administration plans to respond with "a series of clandestine actions across Russian networks" intended to signal that Russia's hacking campaign crossed a line—"clarifying what the United States believes are in bounds and out of bounds, and what we are prepared to do in response," as national security adviser Jake Sullivan told the paper.
But the most prominent of those sanctions—and most unprecedented—is the administration’s specific response to the SolarWinds campaign, in which the Russian foreign intelligence agency known as the SVR hid their code in the software updates of the SolarWinds IT management tool known as Orion to penetrate as many as 18,000 networks. Using that software supply chain attack and other vulnerabilities, the SVR breached at least nine US federal agencies, including the Department of Justice, DHS, the State Department, and NASA.
Now researchers at security firms Kaspersky and ESET have uncovered evidence that the same hackers who targeted Asus with that sort of supply chain hack earlier this year have also targeted three different videogame developers—this time aiming even higher upstream, corrupting the programming tools relied on by game developers.
Russian intelligence services, the sanctions statement from the US Treasury reads, “have executed some of the most dangerous and disruptive cyberattacks in recent history, including the SolarWinds cyberattack,” officially naming the SVR for the first time as the culprit behind SolarWinds. “The scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyberoperations makes it a national security concern. The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers.”
But look closely at the SolarWinds sanctions response, and it's tough to see exactly what rule or norm for the world of state-sponsored hackers the Biden administration is seeking to write—or at least, what rule that the US itself hasn't broken in its own hacking operations—says Bobby Chesney, a law professor at the University of Austin focused on cybersecurity and national security. Any rule that SolarWinds violates would be a new one, he argues, given that the hacking campaign was by all appearances focused on the kind of cyberespionage US intelligence agencies routinely carry out, with no clear evidence that it was intended to cause disruptive effects. The SVR hackers were even somewhat restrained, going so far as to use a kill-switch that removed their malware from targets they didn't intend to spy on.
"It's all espionage, right? In fact, it looks like a fairly carefully crafted espionage campaign," says Chesney. "And so the question is, since we're now saying that crossed a line—you can't sanction somebody and say you're retaliating and punishing them for this and not mean to be drawing some kind of red line—what is it?"The difference, Chensey suggests, is one of scale rather than substance. The SolarWinds hacking campaign took a "shotgun, blunderbuss" approach that could distinguish it. The SVR's corruption of the software supply chain could be seen as uniquely reckless, but the US has tried that too, with operations that have compromised Cisco routers during shipping or built backdoors into the Swiss encryption software firm Crypto AG .
Even as senior government officials continue to raise alarms about foreign actors seeking to attack the election, the major entities of federal government that share responsibility for election security—the Department of Homeland Security, the Department of Justice, and the Office of the Director of National Intelligence, which oversees and coordinates the nation’s 17 intelligence agencies—have taken steps that appear to undermine or compromise the nation’s ability to conduct a fair and free election in November and combat foreign interference.