Before SolarWinds, US officials say SVR began stealthily targeting cloud services in 2018

U.S. officials have now released multiple public advisories on alleged SVR hacking tools.
Sergei Naryshkin
Sergei Naryshkin, seen here in 2016, is head of Russia's SVR intelligence agency. (Photo by Mikhail Svetlov/Getty Images)

U.S. national security agencies on Monday continued their concerted efforts to expose hacking techniques used by the Russian intelligence agency allegedly responsible for a historic cyber-espionage campaign aimed at the U.S. government.

The latest public statement from the FBI and the Department of Homeland Security traces the evolution of Russia’s SVR foreign intelligence agency as a formidable cyber adversary capable of exploiting U.S. networks through a range of tools. A turning point, the advisory said, came in 2018 when the FBI saw the SVR begin to target email-based cloud computing resources in a likely effort to conceal the spies’ intelligence collection.

The SVR allegedly employed that tactic in the hacking effort that exploited software made by SolarWinds and other vendors to breach nine U.S. government agencies. The bugging of trusted SolarWinds software updates was “a notable departure from the SVR’s historic tradecraft,” the FBI and DHS’s Cybersecurity and Infrastructure Security Agency said.

The advisory follows the Biden administration’s move to blame the SVR on April 15 for the so-called SolarWinds campaign, which White House officials argued exceeded traditional espionage because of the cost it imposed on private firms cleaning up the breaches. U.S. security agencies have also published a series of other advisories on alleged SVR hacking in an effort to mitigate the exposure of U.S. private and public networks.


Along with Russia’s treatment of opposition figure Alexei Navalny, the hacking activity has been a major source of tension in U.S.-Russia relations in the first months of the Biden administration. The Biden administration also imposed sanctions on Russian tech companies for allegedly supporting Russian cyber-espionage operations, and expelled 10 Russian diplomats.

Moscow, which has denied involvement in the SolarWinds activity, retaliated by expelling 10 American diplomats and banning senior Biden administration officials from visiting Russia.

U.S. officials say the SVR is one of three main Russian intelligence agencies, along with the GRU and FSB, whose hacking groups continually target U.S. and allied computer networks. The SVR-linked APT29 was allegedly one of two Russian spying outfits that breached the Democratic National Committee in 2016 in an effort to upend the U.S. election.

But unlike the GRU, whose hacking groups have a reputation for brazen, high-profile operations like cutting power in Ukraine in 2015 and 2016, SVR operatives are known for their subtlety. The U.S. advisory published Monday sheds some light on those tactics.

The FBI and DHS, for example, accused the SVR of using fake identities and cryptocurrency to buy computing infrastructure to conduct its hacking. The SVR hackers have also used a common tactic known as password spraying to guess weak passwords, according to U.S. officials, but have done so with a lighter touch than other hacking groups, which bombard networks with guesses.


“The actors conducted the password spraying activity in a ‘low and slow’ manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection,” the FBI-DHS advisory reads.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts