Russian state hackers said to be still at it
Cybersecurity firm finds more evidence of attackers using innovative techniques
WASHINGTON — The elite Russian state hackers behind last year’s SolarWinds cyberespionage campaign hardly eased up this year, managing plenty of infiltrations of U.S. and allied government agencies and foreign policy think tanks with consummate craft and stealth, a leading cybersecurity firm reported Monday.
On the anniversary of the disclosure of the SolarWinds intrusions, Mandiant said the hackers associated with Russia’s foreign intelligence agency continued stealing data “relevant to Russian interests” to great effect using novel, stealthy techniques that it detailed in a mostly technical report aimed at helping security professionals stay alert.
It was Mandiant, not the U.S. government, that disclosed SolarWinds.
While the number of government agencies and companies hacked was smaller this year than last, when some 100 organizations were breached, assessing the damage is difficult, said Charles Carmakal, Mandiant’s chief technical officer. Overall, the impact is quite serious, he said. “The companies that are getting hacked, they are also losing information.”
“Not everybody is disclosing the incident(s) because they don’t always have to disclose it legally,” he said, complicating damage assessment.
The Russian cyber spying unfolded mostly in the shadows as the U.S. was consumed in 2021 by a separate, eminently “noisy” and headline-grabbing cyber threat — ransomware attacks launched not by nation-state hackers but by criminal gangs. Those gangs are largely protected by the Kremlin.
The Mandiant findings follow an October report from Microsoft that the hackers, whose umbrella group it calls Nobelium, continue to infiltrate the government agencies, foreign policy think tanks and other organizations focused on Russian affairs through the cloud service companies and so-called managed services providers on which they increasingly rely. Mandiant tips its hat to Microsoft’s threat researchers in the report.
Mandiant researchers said the Russian hackers “continue to innovate and identify new techniques and tradecraft” that lets them linger in victim networks, hinder detection and confuse attempts to attribute hacks to them. In short, they said, Russia’s most elite state-backed hackers are as crafty and adaptable as ever.
Mandiant did not identify individual victims or describe what specific information may have been stolen, but did say unspecified “diplomatic entities” that received malicious phishing emails were among the targets.
Often, the researchers say, the hackers’ paths of least resistance to their targets were cloud-computing services. From there, they used stolen credentials to infiltrate networks. The report describes how in one case they gained access to a victim’s Microsoft 365 system through a stolen session. And the report says the hackers routinely relied on advanced tradecraft to cover their tracks.
One technique discussed in the report illustrates the catand-mouse game. Hackers set up intrusion beachheads using IP addresses, the numeric designations that identify location on the internet, that are physically near an account they are trying to breach — in the same address block, say, as the person’s local internet provider. That makes it highly difficult for security software to detect a hacker using stolen credentials posing as someone trying to access their work account remotely.