The elite Russian state hackers behind last year’s massive SolarWinds cyberespionage campaign haven’t slowed down this year, infiltrating a slew of US and allied government agencies and foreign policy think tanks with consummate craft and stealth, according to a leading cybersecurity firm.
On the anniversary of the SolarWinds intrusions’ public disclosure, Mandiant said hackers associated with Russia’s SVR foreign intelligence agency continued to steal data “relevant to Russian interests” with great effect using novel, stealthy techniques detailed in a mostly technical report aimed at keeping security professionals alert.
SolarWinds was revealed by Mandiant, not the US government.
While the number of government agencies and businesses hacked by the SVR was lower this year compared to last, when approximately 100 organizations were breached, assessing the damage is difficult, according to Charles Carmakal, Mandiant’s chief technical officer. Overall, the impact is quite serious. “The companies that are getting hacked, they are also losing information.”
“Not everyone is disclosing the incident(s) because they don’t always have to legally disclose it,” he explained, complicating damage assessment.
The Russian cyber spying unfolded mostly in the shadows, as the US government was consumed in 2021 by a separate, eminently “noisy” and headline-grabbing cyber threat — ransomware attacks launched by criminal gangs rather than nation-state hackers. Those gangs, as it happens, are largely protected by the Kremlin.
The Mandiant findings follow Microsoft’s October report that the hackers, dubbed Nobelium, continue to infiltrate government agencies, foreign policy think tanks, and other organizations focused on Russian affairs via cloud service providers and so-called managed services providers on which they increasingly rely. In the report, Mandiant acknowledges Microsoft’s threat researchers.
Russian hackers “continue to innovate and identify new techniques and tradecraft,” according to Mandiant researchers, allowing them to linger in victim networks, thwart detection, and confuse attempts to attribute hacks to them. In short, Russia’s most elite state-backed hackers are as cunning and adaptable as they have always been.
Mandiant did not identify individual victims or describe what specific information was stolen, but did state that unspecified “diplomatic entities” that received malicious phishing emails were among the targets.
According to the researchers, cloud computing services were frequently the hackers’ path of least resistance to their targets. They then used stolen credentials to gain access to networks. The report describes how they gained access to one victim’s Microsoft 365 system using a stolen session in one case. According to the report, the hackers routinely used advanced tradecraft to hide their tracks.
One ingenious technique discussed in the report exemplifies the ongoing cat-and-mouse game that is digital espionage. Hackers established intrusion beachheads by using IP addresses, a numeric designation that identifies a computer’s location on the internet, that were physically close to an account they were attempting to breach — say, in the same address block as the person’s local internet provider. This makes it extremely difficult for security software to detect a hacker posing as someone attempting to access their work account remotely using stolen credentials.
The SolarWinds hack exploited vulnerabilities in the software supply-chain system and remained undetected for the majority of 2020, despite compromises at a wide range of federal agencies, including the Justice Department, and dozens of companies, primarily telecommunications and information technology providers such as Mandiant and Microsoft.
SolarWinds is the name of the hacking campaign, which is named after the U.S. software company whose product was used in the initial infection of that effort. The Biden administration imposed sanctions last April in response to the hack, including against six Russian companies that support the country’s cyber efforts.