WASHINGTON — The Biden administration on Thursday announced tough new sanctions on Russia and formally blamed the country’s premier intelligence agency for the sophisticated hacking operation that breached American government agencies and the nation’s largest companies.
In the broadest effort yet to give more teeth to financial sanctions — which in the past have failed to deter Russian activity — the sanctions are aimed at choking off lending to the Russian government.
In an executive order, President Biden announced a series of additional steps — sanctions on 32 entities and individuals for disinformation efforts and for carrying out the Russian government’s interference in the 2020 presidential election. Ten Russian diplomats, most of them identified as intelligence operatives, were expelled from the Russian Embassy in Washington. The country also joined with European partners to sanction eight people and entities associated with Russia’s occupation in Crimea.
The announcement is the first time that the U.S. government had placed the blame for the “SolarWinds” hacking attack right at the Kremlin’s feet, saying it was masterminded by the SVR, one of the Russian intelligence agencies that was also involved in the hacking of the Democratic National Committee six years ago. The finding comports with the findings of private cybersecurity firms.
SolarWinds; to the C.I.A.’s assessment that Russia offered bounties to kill American troops in Afghanistan; and to Russia’s longstanding effort to interfere in U.S. elections on behalf of Donald J. Trump. The key to the sanctions’ effectiveness, officials concede, will be whether European and Asian allies go along with that ban, and whether the United States decides to seek to extend the sanctions by threatening to cut off financial institutions around the world that deal in those Russian bonds, much as it has enforced “secondary sanctions” against those who do business with Iran.
In a conversation with President Vladimir V. Putin on Tuesday, Mr. Biden warned that the United States was going to act to protect its interests, but also raised the prospect of a summit meeting between the two leaders. It is unclear whether Russia will now feel the need to retaliate for the sanctions and expulsions. American officials are already alarmed by a troop buildup along the border of Ukraine and Russian naval activity in the Black Sea.
And inside American intelligence agencies there have been warnings that the SolarWinds attack — which enabled the SVR to place “back doors” in the computer networks — could give Russia a pathway for malicious cyber activity against government agencies and corporations.
Jake Sullivan, Mr. Biden’s national security adviser, has often said that sanctions alone will not be sufficient, and said there would be “seen and unseen” actions against Russia. Mr. Biden, before his inauguration, suggested the United States would respond in kind to the hack, which seemed to suggest some kind of clandestine cyber response. But it may take weeks or months for any evidence that activity to come to light, if it ever does.
SolarWinds attack because that was the name of the Texas-based company whose network management software was subtlety altered by the SVR before the firms customers downloaded updated version. But the presidential statement alludes to the C.I.A.’s assessment that Russia offered bounties to kill American troops in Afghanistan and explicitly links the sanctions to Russia’s longstanding effort to interfere in U.S. elections on behalf of Donald J. Trump.
In the SolarWinds breach, Russian government hackers infected network-management software used by thousands of government entities and private firms in what officials believe was, at least in its opening stages, an intelligence-gathering mission.
The SVR, also known as the Russian Foreign Intelligence Service, is primarily known for espionage operations. The statement said American intelligence agencies have “high confidence in its assessment of attribution” of responsibility to Russia.
In an advisory, the United States described for private companies specific details about the software vulnerabilities that the Russian intelligence agencies used to hack into the systems of companies and governments. Most of those have been widely known since FireEye, a private security firm, first found evidence of the hack in December. Until FireEye’s discovery, the actions had been entirely missed by the U.S. government, largely because the attack was launched from inside the United States — where, as the Russians know well, American intelligence agencies are prohibited from operating.
Previous sanctions against Russia have been more narrowly drawn and have largely affected individuals. As such, the Kremlin has largely appeared to absorb or shrug off the penalties without changing its behavior.