Private sector analysts uncovered a new hacking tool thought to be used in a suspected Russian spying operation in the latest example of how, as the investigation into the SolarWinds breach continues, the plot only thickens.
Security firm Symantec on Tuesday said it had found previously undocumented malicious code that the attackers used to move through victim networks and then transmit additional malware onto specific computers. The attackers installed the malicious code, dubbed Raindrop, on a handful of carefully chosen computers in an effort to spy on them, according to the latest findings.
The discovery underscores the range of tools the accused hackers had at their disposal — some to gain access to computer networks, others to sift through data — in a historic campaign that has infiltrated multiple U.S. federal agencies and consumed investigators at top security firms. U.S. federal investigators have said the hacking campaign is “likely Russian in origin.” Moscow denies involvement.
The attackers have often used bugged software made by contractor SolarWinds to break into networks. But the malicious activity has gone far beyond the tampered SolarWinds technology, as the Symantec research shows.
The hacking tool that Symantec found, for example, has surfaced in organizations using the tampered SolarWinds software, but on entirely different computers within the organization that showed no previous signs of compromise.
The discovery of the malicious code is “another sign of the steps [the attackers] took to avoid having their operations disrupted,” said Eric Chien, a technical director at Symantec, a division of semiconductor maker Broadcom. Chien said “at least three” organizations, but likely more, were infected with the Raindrop malware.
Symantec did not identify the organizations infected. But the attackers appeared to be going after high-value targets.
In one case, the hackers used Raindrop to access a computer running management software that offered access to the entire organization, Symantec said. In another, the hackers targeted a victim computer that was configured to communicate via a certain Server Message Block protocol, a means of sharing files. That raises the possibility that the targeted computer did not have access to the public internet, though Symantec could not confirm that finding beyond question.
The FBI and private sector firms continue their investigation into the espionage operation. SolarWinds on Jan. 11 publicly identified a different piece of malicious code that the attackers used to meddle with the company’s software.
The alleged Russian activity has also affected the U.S. firms Microsoft and FireEye, and is considered one of the most advanced digital spying operations against U.S. government networks in recent memory.
President-elect Joe Biden has pledged to do “all that needs to be done” to get to the bottom of the intrusions, and then punish the culprits. How Biden responds will be a big early test for cybersecurity policy in his presidency.