What the SolarWinds cyber attackers lifted from the US government
The Russian hacking group behind last year’s massive
SolarWinds cyber attack sought access to US counter-intelligence policy,
Covid-19 information and details on sanctions against Russia, a Microsoft
report has found.
In late 2020 cyber raiders injected a security backdoor into
network management software made by IT vendor SolarWinds. Roughly 18,000
entities installed the malicious update, allowing the attacking group to gain
access to numerous companies and government agencies by initially compromising
just one, in what is known as a supply chain attack.
Details of the threat actor’s objectives have remained
scarce, with the Securities and Exchange Commission launching an inquiry in
September to uncover the extent of corporate America’s exposure to the
SolarWinds cyber strike.
A report published by Microsoft on Thursday detailed the
information that the group behind the SolarWinds hack may have acquired. The
primary goal, Microsoft said, was intelligence collection. There was “little
evidence of destructive activity” not only during the SolarWinds attack but
during other Russian-linked hacks.
The hacking group which carried out the SolarWinds attack,
dubbed Nobelium by Microsoft, has been officially designated as an operation of
the Russian Foreign Intelligence Service, or SVR, by US and UK intelligence
agencies. The Kremlin has denied any involvement.
Despite the large number of compromised companies and
agencies, Microsoft found that follow-up exploitation was limited to around 100
organisations.
After gaining initial access via backdoors planted by
SolarWinds’ hijacked Orion update, Nobelium actors went on to conduct more
targeted spear-phishing and password spray campaigns.
Government, NGOs, IT services and professional services
sectors were the most targeted, Microsoft said. Nine federal agencies were
breached in the attack, including the US Treasury and Commerce department.
The goal in targeting government entities was to gain policy
insights, Microsoft said. The SolarWinds hackers also sought access to
cybersecurity response policies, threat hunting techniques and offensive
testing tools. The aim was to “improve countermeasures” and avoid detection
during future espionage attacks.
It was also reported that the SVR stole software signing
certificates, source code and CSP accounts.
The true extent and precise details of accessed information
is not clear. Microsoft said it came to these conclusions based on the victim
accounts that Nobelium accessed.
“Over the past year, Russia-based activity groups have
solidified their position as acute threats to the global digital ecosystem by
demonstrating adaptability, persistence, a willingness to exploit trusted
technical relationships, and a facility with anonymisation and open-source
tools that make them increasingly difficult to detect and attribute,” the
report stated.
Microsoft added that Russian hacking groups have shown a
“high tolerance for collateral damage”.
In June, Nobelium targeted Microsoft and its customers using
password spray and brute-force attacks to gain entry into corporate systems.
Microsoft was separately targeted by Chinese state-linked
hacking group Hafnium in early 2021. The threat actors used zero-day exploits
to target its on-premises Exchange Server tech. Despite its exposure in these
attacks, Microsoft ranks top out of 62 companies for enterprise security,
according to GlobalData’s cybersecurity thematic scorecard.
This week Google said it blocked a phishing campaign
conducted by Russian threat actors APT28, also known as Fancy Bear. The
campaign targeted approximately 14,000 journalists, NGO and think tank members
from around the world.
The attacks against SolarWinds and Microsoft, along with
attacks on physical infrastructure including the Colonial Pipeline and meat
processor JBS, have catapulted cybersecurity high up the agenda of the Biden
administration.
Comments
Post a Comment