Getty Images/iStockphoto

One year later, SolarWinds hackers targeting cloud providers

The hacking crew accused of breaking into SolarWinds a year ago is back at it and is trying to get to their targets through attacks on the networks of cloud computing providers.

The hacking group behind the notorious SolarWinds breach is ringing in the one-year anniversary of that devastating intrusion by undertaking another potentially serious set of breaches against cloud computing providers.

Mandiant researchers say the Russian state-sponsored threat group UNC2452 and its offshoot groups have been looking to break into the networks of a cloud computing provider, targeting end users and then looking to move laterally into the provider's systems. According to Mandiant's report, the SolarWinds hackers have already had some success in this campaign.

"In at least one instance, the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP's environment, which ultimately led to the compromise of internal domain accounts," the report said.

Among the tools spotted by the team were a new malware dropper package and instances of Beacon, the Cobalt Strike backdoor favored by penetration testers and ransomware operators.

Mandiant incident response manager Doug Bienstock told SearchSecurity the SolarWinds hackers are trying to use the cloud provider's network as the first phase of a downstream attack.

It is the customers of the service provider that are the threat actor's ultimate targets.
Doug Bienstock Incident response manager, Mandiant

"It is the customers of the service provider that are the threat actor's ultimate targets," Bienstock explained. "The threat actor targets cloud services providers to take advantage of the legitimate and often privileged access CSPs have into their customer networks. The threat actor then abuses that provider's legitimate access to ultimately compromise the CSPs customer networks."

Supply chain attacks against cloud and IT service providers have become a sort of calling card of the Russian-based advanced persistent threat group, also referred to by Microsoft as "Nobelium." Last year, the hackers made headlines when they were able to break into the networks of SolarWinds and covertly alter the code in one of its IT management software update packages.

The poisoned update resulted in backdoor malware being pushed out to thousands of companies that relied on SolarWinds management products, and as a result both private enterprise and government networks were targeted for further network intrusions by Nobelium.

Microsoft and the U.S. government believe the group operates either under the direction of -- or with the backing of -- the Russian government, as many of the targets are either government agencies or contractors.

Mandiant is not the only group reporting that Nobelium hackers remain active. A notice from the French National Cybersecurity Agency (ANSSI) warns that it has also seen the group taking aim at companies within its borders, with phishing attacks in particular being a potent weapon for initial compromise.

This latest batch of attacks, seemingly targeted at government interests, has been going on since at least February.

"The intrusion set succeeded in compromising email accounts belonging to French organizations, before using these access points to send weaponized emails to foreign institutions in the diplomatic sector," the ANSSI said.

"The initial method of intrusion remains unknown. French public organizations have also been recipients of spoofed emails. These messages were sent from foreign institutions seemingly compromised by the same intrusion set."

Bienstock said enterprises worried about being compromised by way of their cloud services provider should plan ahead by taking stock of just what sort of data their providers have access to, and whether that level of access is needed.

"Organizations should first review whether or not their service providers require the types of permissions that have been granted and remove them if unnecessary," Bienstock advised.

"If any organization believes a CSP with permissions into their environment has been compromised, organizations should audit for activities originating from that CSP's environment and their users."

Next Steps

SolarWinds hackers still active, using new techniques

Dig Deeper on Cloud security

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close