A year ago, security researchers uncovered one of the worst data breeches in modern history, a Kremlin-backed hacking campaign that compromised the server of network management provider SolarWinds and the networks of 100 of its highest-profile customers.
The group never gave up and even though they were expelled, they were still able to hack large numbers of targets in a single stroke. Mandiant, a security firm, published research on Monday detailing the many feats of the group, as it continued to break into the networks of some of its highest-value targets.
Adhering to trust.
One of the things that made Nobelium so formidable was its creativity. Rather than breaking into each target one by one, the group hacked into the network of SolarWinds and used the access to push a malicious update to 18,000 of its customers.
The networks of all of those entities could be penetrated by the hackers. It would be similar to a locksmith being broken into and being able to open the doors of every building in the neighborhood with a master-key. The mass compromises were much easier to conceal because of the efficient method of Nobelium.
Mandiant shows that the ingenuity of Nobelium has not wavered. The two hacking groups linked to the SolarWinds hack have continued to develop new ways to compromise large numbers of targets in an efficient manner.
Advertisement
Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, which are outsourcing third-party companies that many large companies rely on for a wide range of IT services. The hackers were able to use the compromised providers to intrude on their customers.
The Monday report said that the intrusion activity was indicative of a well-resourced threat actor who was concerned about operational security. The abuse of a third party can facilitate access to a wide scope of potential victims through a single compromise.
Tradecraft that is advanced.
The advanced tradecraft went on. Other advanced tactics and ingenuities were included.
Cryptbot is an information stealer that harvests system and web browser credentials and cryptocurrencies wallet. The UNC3004 and UNC2652 were able to compromise targets even when they didn't use a hacked service provider.
Once the hacker groups were inside the network, they were able to gain access to email and other data from any other account in the network with the use of application impersonation privileges. The hassle of breaking into each account individually was saved by hacking this single account.
The abuse of legitimate residential proxy services can be done through cloud providers. The admins of the hacked companies noticed that the local internet service providers they were connecting to were in the same area as the companies. This helped hide the intrusions since nation-sponsored hackers often use dedicated addresses that arouse suspicion.
Clever ways to get around security restrictions are to extract virtual machines.
Gaining access to an active directory stored in a target's account and using this all-powerful administration tool to steal keys that could be used to subvert two-factor authentication protections. The Golden SAML is a skeleton key that can be used to open every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
A custom downloader called Ceeloader is used.