Almost one year after the infamous SolarWinds compromise that breached nine U.S. federal agencies and hundreds of organizations, the group behind the attack remains quite active.
The Russian-linked group, dubbed "Nobelium" by Microsoft, has continued its hacking campaigns targeting business and government entities around the globe, according to new research from Mandiant.
Mandiant refers to the threat actors as "one of the toughest actors we have encountered." Security researchers elaborate on the group's sophistication:
"These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead."
7 recently observed tactics used by Nobelium
Mandiant has successfully tracked multiple clusters of suspected Russian activities that has targeted organizations everywhere. Researchers were able to identify two distinct clusters of activity that are associated with Nobelium.
The cybersecurity firm noted seven tactics the group has recently used:
- "Compromise of multiple technology solutions, services, and reseller companies since 2020."
- "Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations."
- "Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021."
- "Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims."
- "Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations."
- "Use of a new bespoke downloader we call CEELOADER."
- "Abuse of multi-factor authentication leveraging 'push' notifications on smartphones."
In most instances researchers observed, post compromise activity included theft of data relevant to Russian interests, though some instances were used to create new routes to access other victim environments.
SolarWinds threat actor's infrastructure
Security researchers discuss four main areas related to the threat actor's infrastructure: residential internet access; geo-located Azure infrastructure; compromised WordPress sites hosting second-stage payloads; and TOR, VPS, and VPN providers.
For residential internet access, researchers discuss the threat actor's efforts:
"In some campaigns, Mandiant identified that the threat actor was using residential IP address ranges to authenticate to victim environments. Mandiant believes that this access was obtained through residential and mobile IP address proxy providers. The providers proxy traffic through actual mobile devices such as phones and tablets by legitimately bundling a proxy application in return for free applications and/or services."
By accomplishing this, investigators have a challenging time trying to differentiate between normal user activity and malicious activity. Mandiant notes these tactics are rarely used by other threat actors and it showcases the complexity of their operations.
This is similar to their efforts focused on Azure:
"In another campaign, the threat actor provisioned a system within Microsoft Azure that was within close proximity to a legitimate Azure-hosted system belonging to the CSP that they used to access their customer’s environment. This allowed the actor to establish geo-proximity with the victims which resulted in the recorded source IP address for the activity originating from within legitimate Azure IP ranges."
Researchers also discuss how the threat actors utilized compromised WordPress sites:
"In several campaigns by the actor, Mandiant and our partners identified that the actor was hosting second stage payloads as encrypted blobs on legitimate websites running WordPress. Mandiant observed at least two separate malware families attributed to the threat actor hosted on compromised WordPress sites."
And the fourth aspect of their infrastructure focuses on using TOR, VPS, and VPN providers to their advantage:
"In multiple campaigns by the threat actor, Mandiant witnessed the actor use a mixture of TOR, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments. In a particular campaign, Mandiant identified that the threat actor performed initial reconnaissance via a VPS provider located in the same region as the victim.
Mandiant believes a misconfiguration by the threat actor meant that the VPN services running on the VPS stopped functioning after 8 hours. Mandiant was then able to identify numerous TOR exit nodes that the threat actor used based on new authentication events."
For more information regarding the sophisticated tactics used by the group responsible for SolarWinds, read the whole report from Mandiant.
