WASHINGTON (AP) – The Russian state hacker elite behind last year’s massive SolarWinds cyberespionage campaign have hardly slowed this year, handling numerous infiltrations of US and allied government agencies and foreign policy think tanks with consummate know-how and stealth, a leading cybersecurity firm reported.
Also on Monday, Microsoft announced that it had halted cyber espionage by a state-backed Chinese hacking group by seizing websites it was using to gather intelligence from foreign ministries, government groups. think tanks and human rights organizations in the United States and 28 other countries, the vast majority in Latin America.
Microsoft said that a Virginia federal court last Thursday granted its request to seize 42 web domains that the Chinese hacking group, which it calls Nickel but which is also known as APT15 and Vixen Panda, used to access targets generally aligned with China’s geopolitical interests. He said in a blog that “a key piece of the infrastructure the group relied on” during its latest wave of infiltration had been removed.
The dueling announcements, while unrelated, highlight the relentless pace of digital espionage by its main US geopolitical rivals, whose cyber-intrusion skills are matched only by the United States.
A year after discovering the SolarWinds intrusions, Mandiant said hackers associated with Russian foreign intelligence agency SVR continue to steal data “relevant to Russian interests” with great effect using new stealth techniques. ‘he detailed in a mainly technical report aimed at helping security. professionals remain vigilant. It was Mandiant, not the US government, that disclosed SolarWinds.
While the number of government agencies and businesses hacked by the SVR was lower this year than last year, when around 100 organizations were violated, it is difficult to assess the damage, Charles said. Carmakal, Technical Director of Mandiant. Overall, the impact is quite severe. “Companies that get hacked also lose information. “
“Not everyone discloses the incident (s) because they don’t always have to legally disclose it,” he said, complicating the damage assessment.
Russian cyber espionage has unfolded, as always, mostly in the shadows as the US government was consumed in 2021 by a distinct, eminently ‘loud’, headline-grabbing cyber threat – uninitiated ransomware attacks. by nation-state hackers, but rather by criminal gangs. As it turns out, these gangs are largely protected by the Kremlin.
Mandiant’s findings follow an October report from Microsoft that hackers, including the umbrella group he calls Nobelium, continue to infiltrate government agencies, foreign policy think tanks and others. Russian business-oriented organizations through cloud service companies and managed service providers. on which they rely more and more. Mandiant researchers said Russian hackers “continue to innovate and identify new techniques and professions” that allow them to linger in victim networks, hinder detection and confuse them. attempts to attribute hacks to them.
Mandiant did not identify individual victims or describe specific information that may have been stolen, but said unspecified “diplomatic entities” that had received malicious phishing emails were among the targets.
Often, researchers say, the path of least resistance from hackers to their targets was through cloud computing services. From there, they used stolen credentials to infiltrate networks. The report describes how, in one case, they gained access to a victim’s Microsoft 365 system through a stolen session token. And, according to the report, hackers regularly relied on advanced craftsmanship to cover their tracks.
A smart technique discussed in the report illustrates the ongoing cat-and-mouse game that digital espionage involves. Hackers set up intrusion bridgeheads using IP addresses, a numeric designation that identifies its location on the Internet, which were physically located near an account they are trying to breach – in the same block of addresses, for example, as the person’s local Internet provider. This makes it very difficult for security software to detect a hacker using stolen credentials masquerading as someone trying to access their work account remotely.
Microsoft has expressed no illusions that the website seizures it announced on Monday would deter Chinese hackers, which it has been tracking since 2016 to the cloud – Exchange Server and SharePoint systems. The company has used the legal opt-out tactic in 24 prosecutions to date, Microsoft said, eliminating a total of 600 sites used by state actors and 10,000 by cybercriminals.
The SolarWinds hack exploited vulnerabilities in the software supply chain system and went undetected for much of 2020 despite compromises from a wide range of federal agencies – including the Department of Justice – and dozens of companies, primarily telecommunications and information technology providers, including Mandiant and Microsoft. .
The hacking campaign is named SolarWinds after the American software company whose product was exploited in the first infection stage of this effort. The Biden administration imposed sanctions last April in response to the hack, including against six Russian companies that support the country’s cyber efforts.
(Copyright (c) 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.)