Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.Russian hackers hit US government using widespread supply chain attackNobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.
One of the things that made Nobelium so formidable was the creativity of its TTPs, hacker lingo for tactics, techniques, and procedures. Rather than breaking into each target one by one, the group hacked into the network of SolarWinds and used the access, and the trust customers had in the company, to push a malicious update to roughly 18,000 of its customers.
Almost instantly, the hackers could intrude into the networks of all of those entities. It would be similar to a burglar breaking into a locksmith’s premises and obtaining a master-key that opened the doors of every building in the neighborhood, sparing the hassle of having to jimmy open each lock. Not only was Nobelium’s method scalable and efficient, it also made the mass compromises much easier to conceal.
Mandiant’s report shows that Nobelium’s ingenuity hasn’t wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack—one called UNC3004 and the other UNC2652—have continued to devise new ways to compromise large numbers of targets in an efficient manner.
Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers.
“This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security,” Monday’s report said. “The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise.”
The advanced tradecraft didn’t stop there. According to Mandiant, other advanced tactics and ingenuities included: