The elite Russian state hackers behind last year’s major SolarWinds cyberespionage campaign have not slowed down this year, infiltrating several US and allied government organizations and foreign policy think tanks with exquisite craft and stealth, according to a top cybersecurity firm.
On the anniversary of the SolarWinds intrusions’ public disclosure, Mandiant said hackers associated with Russia’s SVR foreign intelligence agency continued to steal data “relevant to Russian interests” with great effect using novel, stealthy techniques detailed in a mostly technical report aimed at keeping security professionals alert.
SolarWinds was revealed by Mandiant, not the US government.
While the number of government agencies and businesses attacked by the SVR was lower this year compared to previous, when around 100 organizations were compromised, measuring the damage is tough, according to Charles Carmakal, Mandiant’s chief technical officer. Overall, the influence is significant. “Those firms that are hacked are also losing information.”
“Not everyone is sharing the incident(s) since they don’t always have to legally disclose it,” he explained, complicating damage assessment.
The Russian cyber surveillance unfolded primarily in the shadows, as the US government was consumed in 2021 by a new, eminently “noisy” and headline-grabbing cyber danger — ransomware assaults committed by criminal gangs rather than nation-state hackers. Those gangs, as it happens, are mostly protected by the Kremlin.
The Mandiant findings follow Microsoft’s October report that the hackers, dubbed Nobelium, continue to infiltrate government agencies, foreign policy think tanks, and other organizations focused on Russian affairs via cloud service providers and so-called managed services providers on which they increasingly rely. In the report, Mandiant acknowledges Microsoft’s threat researchers.
Russian hackers “continue to develop and discover new tactics and tradecraft,” according to Mandiant analysts, allowing them to loiter in victim networks, thwart detection, and confound attempts to ascribe attacks to them. In summary, Russia’s most elite state-backed hackers are as cunning and flexible as they have always been.
Mandiant did not identify particular victims or disclose what exact information was obtained, but did state that certain “diplomatic institutions” that received fraudulent phishing emails were among the targets.
According to the researchers, cloud computing services were frequently the hackers’ path of least resistance to their targets. They then used stolen credentials to gain access to networks. The report details how they got access to one victim’s Microsoft 365 system via a stolen session in one scenario. According to the investigation, the hackers often used skilled tradecraft to hide their footprints.
One ingenious tactic detailed in the study exemplifies the continual cat-and-mouse game that is digital espionage. Hackers established incursion beachheads by employing IP addresses, a numeric identification that specifies a computer’s location on the internet, that were physically close to an account they were attempting to penetrate — instance, in the same address block as the person’s local internet provider. This makes it extremely difficult for security tools to identify a hacker acting as someone attempting to access their work account remotely using stolen credentials.
The SolarWinds hack exploited vulnerabilities in the software supply-chain system and remained undetected for the majority of 2020, despite compromises at a wide range of federal agencies, including the Justice Department, and dozens of companies, primarily telecommunications and information technology providers such as Mandiant and Microsoft.
The hacking campaign is called SolarWinds after the US software business whose product was used in the initial stage of infection. In response to the incident, the Biden administration issued penalties in April, including against six Russian organizations that help the country’s cyber capabilities.