10 December 2021

Russian group behind SolarWinds incident ramping up hacking efforts, analysis says

MAGGIE MILLER

The Russian government-linked hacking group behind one of the biggest cyber espionage incidents in U.S. history has only intensified its hacking efforts in the year since, research released Monday found.

Cybersecurity group Mandiant on Monday released findings showing how the group, known as “Nobelium” or “UNC2452,” has continued to target governments and businesses, zeroing in on technology solutions and services groups, along with technology resellers, and using new tactics to make it more difficult to trace the threat activity and maintain access to networks.

“This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security,” Mandiant researchers wrote in the report. "Though Mandiant cannot currently attribute this activity with higher confidence, the operational security associated with this intrusion and exploitation of a third party is consistent with the tactics employed by the actors behind the SolarWinds compromise."

The new activity was announced by Mandiant almost exactly a year after the company, formerly known as FireEye, announced its systems had been breached by “a nation with top-tier offensive capabilities.”

The announcement by the former FireEye was the first public clue to a massive espionage campaign that had been ongoing for most of 2020, which became known as the SolarWinds hack due to the hackers using a vulnerability in software from IT company SolarWinds to breach customer networks, among other avenues of attack.

At least nine federal agencies and 100 private sector groups were breached as a result, and President Biden levied sanctions on Russia in April in retaliation.

“This time around they are hacking into a lot of different companies and using those companies as entry points into the ultimate target they are trying to get into,” Charles Carmakal, Mandiant senior vice president and chief technology officer, told The Hill in an interview ahead of the release of the findings.

“They are the most advanced adversary that we deal with in the Western world,” Carmakal said.

Tensions between the U.S. and Russia have ramped up over the past year, and cybersecurity concerns were a key topic of conversation between President Biden and Russian President Vladimir Putin during their in-person meeting in Geneva in June. Cybersecurity is also expected to be on the agenda for their call Tuesday.

Mandiant has not been the only group to track Nobelium since it was linked to the SolarWinds hack.

Microsoft disclosed in May that it had gained access to an email marketing account used by the U.S. Agency for International Development, targeting 150 organizations in two dozen countries using the vulnerability. In October, Microsoft warned that Nobelium was targeting groups involved in the global IT supply chain, unsuccessfully attacking thousands of Microsoft customers.

“They’ve got incredible operational security, they’ve got incredible diligence, they’ve got a lot of patience, they are unlike most threat actors that we deal with, and so we are trying to do what we can to help our clients eradicate this threat actor from their networks,” Carmakal said.

No comments: