The expert Russian state hackers behind last year’s major SolarWinds cyberespionage effort have not slowed down this year, masterfully infiltrating US and allied government organizations and foreign policy think tanks, a new report from cybersecurity firm Mandiant reveals.
Microsoft announced Monday that it had disrupted the cyber-spying of a Chinese hacking group with state backing by seizing websites that were used to gather intelligence from foreign ministries, think tanks, and human rights organizations in the United States and 28 other countries, primarily in Latin America and Europe. The announcement was made as part of the company’s Cyber Security Awareness Month initiative.
An order from a federal court in Virginia was approved on Thursday, granting Microsoft’s request to seize 42 web domains that were being used by the Chinese hacking group Nickel, which is also known as APT15 and Vixen Panda, to gain access to targets that were typically aligned with China’s geopolitical interests.
Nickel, which is also known as APT15 and Vixen Panda, has been linked to a number of cyberattacks against the United States. In a blog post, Microsoft reported that “a critical element of the infrastructure on which the organization has been depending” had been eliminated. “elperuanos.org,” “pandemicacre.com,” and “cleanskycloud.com” are among the domains that have been seized.
The United States government was completely engulfed by an entirely different, eminently “noisy,” and headline-grabbing cyber threat in the year 2021, while Russian cyber-spying had continued largely in the shadows. These attacks, mostly ransomware attacks, were not launched by nation-state hackers but rather by organized crime gangs. Unfortunately, the Russian government has mostly sheltered such organizations from punishment in the past.
Following the release of a report by Microsoft in October, it was revealed that the hackers, whose umbrella group is known as Nobelium, are continuing to infiltrate government agencies, foreign policy think tanks, and other organizations that are concerned with Russian affairs through cloud service companies and so-called managed services providers, on which they are becoming increasingly dependent.
While the number of government agencies and businesses infiltrated by the SVR was lower this year than it was the previous year when around 100 organizations were compromised, determining the extent of the damage is challenging, according to Charles Carmakal, chief technical officer of Mandiant. Overall, the consequences are fairly severe. “The firms that are being attacked are also losing information,” says the researcher.
“Not everyone is sharing the incident(s) since they do not necessarily have to declare it legally,” he said, adding to the difficulty of determining the extent of the harm.
The United States government was completely engulfed by an entirely different, eminently “noisy,” and headline-grabbing cyber threat in the year 2021 while Russian cyber-spying continued largely in the shadows. This threat was ransomware attacks launched not by nation-state hackers but rather by organized crime gangs. Unfortunately, the Russian government has mostly sheltered such organizations from punishment in the past.
Following the release of a report by Microsoft in October, it was revealed that the hackers, whose umbrella group is known as Nobelium, are continuing to infiltrate government agencies, foreign policy think tanks, and other organizations that are concerned with Russian affairs through cloud service companies and so-called managed services providers, on which they are becoming increasingly dependent.
Russia’s hackers, according to researchers from Mandiant, continue to innovate and uncover new strategies and tradecraft” that enable them to loiter on victim networks, avoid detection measures, and generate confusion when investigators are seeking to track assaults back to the Russian government.
The report did not name particular victims or disclose what precise information may have been taken, but it did indicate that “diplomatic institutions” who received fraudulent phishing emails were among the targets.
According to the experts, cloud computing services were often the route of least resistance for hackers when it came to their targets. From there, they were able to penetrate networks by using stolen credentials. Specifically, the report details how they acquired access to one victim’s Microsoft 365 system via the use of stolen session tokens in one instance. Furthermore, according to the investigation, the hackers often used skilled tradecraft to conceal their activities.
The paper describes a devious method of digital espionage, which highlights the constant cat-and-mouse game that is involved in the activity. Cybercriminals set up intrusion beachheads by exploiting IP addresses, which are numeric designations that identify a computer’s location on the internet, that were physically near the account they were attempting to compromise — for example, in the same address block as the person’s local internet service provider. As a result, it is very difficult for security software to identify a hacker who is using stolen credentials to impersonate someone who is attempting to access their work account from a distant location.
This hack, which is believed to have taken advantage of vulnerabilities in the software supply-chain system, went undetected for the majority of 2020 despite compromises at a wide range of federal agencies, including the Justice Department, and dozens of private companies, mostly telecom and IT providers, such as Mandiant and Microsoft.
SolarWinds is the name of the hacking campaign, which is named after the U.S. software business whose product was hacked in the initial stage of the operation’s infection. In response to the incident, the Biden administration issued measures in April, including restrictions against six Russian organizations that assist the country’s cyber activities.
