Swiss firm accesses servers of hacking group linked to SolarWinds breach
A Swiss cyber-security firm said it has accessed servers used by a hacking group tied to the SolarWinds breach, revealing details of who the attackers targeted and how they carried out their operation.
The firm, Prodaft, also said the hackers have continued with
their campaign until this month.
Prodaft researchers said they were able to break into the
hackers' computer infrastructure and review evidence of a massive campaign
between August last year and this month which targeted thousands of companies
and government organisations across Europe and the United States.
The aim of the hacking group, dubbed SilverFish by the
researchers, was to spy on victims and steal data, according to Prodaft's
report.
SilverFish carried out an "extremely
sophisticated" cyber attack on at least 4,720 targets, including
government institutions, global IT providers, dozens of banking institutions in
the US and the European Union, major auditing and consulting firms, one of the
world's leading Covid-19 test-kit manufacturers and aviation and defence
companies, the report said.
The hackers used other methods to attack their victims
besides the vulnerability in SolarWinds' software, according to the
researchers.
The researchers do not attribute the attacks to a known
hacking organisation or a country, though they describe SilverFish as an
"APT group". APT stands for "advanced persistent threat",
and APT groups are often associated with state-backed hacking organisations.
Prodaft researchers said in an interview that the hackers
bore some hallmarks of a state-sponsored group, including not being motivated
by money and targeting critical infrastructure. But they said more analysis was
required to make a definitive determination.
As a result, it is not clear from the report if SilverFish
is a hacking organisation linked to the Russian government, which the US
government and other cyber-security firms have said is likely behind the
SolarWinds attack, or if some other organisation also participated. That cyber
attack, which was disclosed in December, involved hackers inserting malicious
code in updates for popular software from Texas-based SolarWinds.
As many as 18,000 SolarWinds customers received the
malicious updates, but far fewer were targeted by the hackers for further
infiltration.
About 100 private sector companies and nine US government
agencies have been identified, according to the White House.
Swiss cyber-security officials said they are in contact with
Prodaft, but declined to comment on the information exchanged "for
security reasons". The US Federal Bureau of Investigation declined to
comment about the report, while SolarWinds did not respond to a request for
comment.
The report was received with some scepticism among
cyber-security researchers in the US who have little doubt that the attack was
purely an espionage operation by the Russian Federation, though they declined
to criticise the report publicly. Microsoft indicated in December that a second
attacker might have played a role in exploiting SolarWinds.
Researchers at cyber research firm Malwarebytes described
Prodaft's findings as "sound".
"We expected to discover more breaches in the aftermath
of the SolarWinds disclosure late last year and knew that, quite likely,
multiple different threat groups took advantage of this unprecedented
supply-chain attack," said Malwarebytes chief executive and co-founder
Marcin Kleczynski, adding that the discovery of SilverFish reinforces the idea
that more than one group exploited SolarWinds.
It is not known if the 4,720 organisations that Prodaft says
were "compromised" by SilverFish simply received the malicious update
from SolarWinds or were targeted for further attacks by the hackers.
The researchers said they were not able to gain that level
of visibility into the attackers' actions. Nonetheless, the report offers
insights into how the hacking organisation operated.
SilverFish's hackers maintained regular working hours and
were most active from Monday to Friday between 8am and 8pm, the report said.
The hackers operated servers in Russia and Ukraine, and
shared some of the same servers as a notorious Russian criminal hacking group
known as Evil Corp.
Prodaft said the hackers were an "extremely
well-organised cyber-espionage group", with four teams named 301, 302, 303
and 304 responsible for breaching their victims' computers. The hackers placed
emphasis on targeting governments and large corporations, such as Fortune 500
enterprise firms, according to the report.
The SilverFish group chose not to pursue attacks against
victims originating from countries including Russia, Ukraine, Georgia and
Uzbekistan, the report said.
The US was by far the region most frequently targeted by
hackers, with 2,465 attacks recorded, followed by European states, with 1,466
victims originating from Italy, the Netherlands, Denmark, Austria, France and
Britain.
The hackers wrote comments "in Russian slang and
vernacular", while English was the other main language used.
Source code also contained ID numbers and nicknames -
including "new hacker", "cyberbro netsupport" and
"walter" - for 14 people who likely worked under the supervision of
four teams, the report said.
"What is perhaps the most striking from this report is
the highly organised professionalism of the threat actor," said Mr Rik
Ferguson, vice-president of security research at cyber-security company Trend
Micro and special adviser for Europol, the EU's law enforcement agency, who
reviewed the report. He said it was clear that the hackers were highly skilled,
well funded and operating with a clearly defined mission brief.
Prodaft's involvement began in December, after a client was
compromised as part of the SolarWinds breach. The researchers searched the
Internet for other servers using the same unique digital fingerprint used in
the attack and found about a dozen machines used by the attackers.
Among these, Prodaft found what is known as "command
and control" servers, platforms set up and used by the attackers to
monitor and send commands to the infected victims. Prodaft identified security
weaknesses in the configuration of the two servers and gained access to them.
The researchers found lists of compromised organisations,
along with evidence indicating that the hacking group had been actively
targeting its victims since August last year. SilverFish went quiet in late
November, according to Prodaft's report, but returned in January to resume its
operations.
In what the researchers described as one of the more
shocking discoveries, the attackers created a Web panel for testing their
malicious payloads on victims' devices, looking to see if anti-virus or
threat-hunting products would flag their activities.
Prodaft, which stands for Proactive Defence Against Future
Threats, was founded in 2012 and is based in Yverdon-les-Bains, Switzerland.
Comments
Post a Comment