Hackers associated with the SolarWinds supply chain compromise have been busy in the year since that attack was revealed, compromising multiple cloud solution companies with the goal of stealing data relevant to Russian interests and finding routes to additional victims, new research reveals.
Findings published Monday by a team of analysts at Mandiant collate previous observations and analysis — along with the efforts of “hundreds of consultants, analysts and reverse engineers — to paint a picture of potentially distinct groups working alongside or within a more established Russian intelligence hacking group known as Nobelium, a name given to the group by Microsoft. The group is also known as Cozy Bear.
The U.S. government formally blamed the Russian government for the hack on SolarWinds, a federal contractor that, when breached as far back as January 2019, provided a path to compromising nine government agencies — including the departments of Treasury, Homeland Security and Justice — and perhaps more than 100 private sector companies. Cybersecurity firm FireEye, now known as Mandiant, revealed the attack in December 2020, and in the following months forced a reckoning with the vulnerable state of federal cybersecurity.
Investigators tracked “multiple clusters of suspected Russian intrusion activity,” a reference to the notion that various actors are trying to penetrate networks. The researchers were then able to classify into two distinct groups. One, UNC2652, targeted diplomatic entities with phishing emails. The other, UNC3004, aimed to breach both government and business entities through access to an unnamed cloud service provider and managed service providers.
Noting that the observed activity is carried out by “one of the toughest actors we have encountered” that practices “top-notch operational security and advanced tradecraft,” Mandiant researchers wrote that the hackers’ activities “highlights the effectiveness of leveraging third parties and trusted vendor relationships to carry out nefarious operations.”
The research points to “multiple instances” where CSPs were compromised, giving the attackers privileged access and credentials that then allowed the compromise of the downstream customers. In one case evidence was found suggesting the attackers used a session token stolen by a third party to target an unidentified Microsoft 365 environment.
The attackers used residential IP addresses sold by a broker to make it look like they were logging into environments from within a victim’s home country.
“These tactics showcase the complexity of the attacker’s operations and is rarely seen executed by other threat actors,” the researchers wrote. “Accomplishing this can make it very difficult for investigators to differentiate between normal user activity and the threat actor’s activity.”
The Mandiant researchers also observed attempts to compromise multiple user accounts within a given environment, then using them separately for different functions. One account might be used for reconnaissance, for instance, while others were used for data theft or other activities. This kind of disciplined approach was previously seen by Mandiant researchers, they wrote.
“This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security,” the researchers wrote. There was not enough observed to conclusively attribute the activity, but the operational security methods and exploitation of a third party is consistent with the tactics employed by the SolarWinds hackers, they wrote.