WASHINGTON (AP) – The Russian state hacker elite behind last year’s massive SolarWinds cyberespionage campaign have hardly slowed this year, handling numerous infiltrations of US and allied government agencies and foreign policy think tanks with consummate art and stealth, a leading cybersecurity firm reported on Monday. .
On the anniversary of SolarWinds’ public disclosure of intrusions, Mandiant said hackers associated with Russian foreign intelligence agency SVR continued to steal data “relevant to Russian interests” with great effect by using new stealth techniques that he detailed in a primarily technical report intended to help security professionals stay vigilant.
It was Mandiant, not the US government, that disclosed SolarWinds.
While the number of government agencies and businesses hacked by the SVR was lower this year than last year, when around 100 organizations were violated, it is difficult to assess the damage, Charles said. Carmakal, Technical Director of Mandiant. Overall, the impact is quite severe. “Companies that get hacked also lose information. “
“Not everyone discloses the incident (s) because they don’t always have to legally disclose it,” he said, complicating the damage assessment.
Russian cyber espionage has unfolded, as always, mostly in the shadows as the US government was consumed in 2021 by a distinct, eminently ‘loud’, headline-grabbing cyber threat – uninitiated ransomware attacks. by nation-state hackers, but rather by criminal gangs. As it turns out, these gangs are largely protected by the Kremlin.
Mandiant’s findings follow an October report from Microsoft that hackers, whose umbrella group calls Nobelium, continue to infiltrate government agencies, foreign policy think tanks and other focused organizations. on Russian business through cloud service companies and managed service providers. on which they rely more and more. Mandiant takes his hat off to Microsoft’s threat researchers in the report.
Mandiant researchers said Russian hackers “continue to innovate and identify new techniques and professions” that allow them to linger in victim networks, obstruct detection and spread the law. confusion in attempts to attribute hacks to them. In short, the most elite Russian state-backed hackers are more cunning and adaptable than ever.
Mandiant did not identify individual victims or describe specific information that may have been stolen, but said unspecified “diplomatic entities” that had received malicious phishing emails were among the targets.
Often, researchers say, the path of least resistance from hackers to their targets was through cloud computing services. From there, they used stolen credentials to infiltrate networks. The report describes how, in one case, they gained access to a victim’s Microsoft 365 system through a stolen session. And, according to the report, hackers regularly relied on advanced craftsmanship to cover their tracks.
A smart technique discussed in the report illustrates the ongoing cat-and-mouse game that digital espionage involves. Hackers install intrusion bridgeheads using IP addresses, a numeric designation that identifies its location on the Internet, which were physically located near an account they are trying to breach – in the same block of addresses, for example, as the person’s local Internet provider. This makes it very difficult for security software to detect a hacker using stolen credentials masquerading as someone trying to access their work account remotely.
The SolarWinds hack exploited vulnerabilities in the software supply chain system and went undetected for much of 2020 despite compromises from a wide range of federal agencies – including the Department of Justice – and dozens of companies, primarily telecommunications and information technology providers, including Mandiant and Microsoft. .
The hacking campaign is named SolarWinds after the American software company whose product was exploited in the first infection stage of this effort. The Biden administration imposed sanctions last April in response to the hack, including against six Russian companies that support the country’s cyber efforts.