Cloud Security, Supply chain, Threat Management, Supply chain
SolarWinds hackers have been quietly targeting governments, cloud providers

President of Russia Vladimir Putin prior to a military parade in Red Square in Moscow. Researchers at Mandiant say the suspected Russian hacking group behind the SolarWinds campaign has been using a diverse set of tools and techniques to compromise governments, businesses and cloud providers since 2020. (Sergey Pyatakov / Sputnik)
The actors behind the SolarWinds campaign have been leveraging “top notch operational security” and tradecraft and a diverse array of hacking techniques to successfully target governments, businesses and cloud provider around the world, according to new research from Mandiant. Researchers at the threat intelligence firm say they are now tracking multiple clusters of hacking activity that trace back to Nobelium, the name given by Microsoft to the suspected Russian intelligence outfit that leveraged a corrupted update in SolarWinds IT management software last year to infect more than 100 of its customers, including at least nine federal agencies. The new findings — released almost a year to the day since Mandiant (then FireEye) revealed the original SolarWinds compromise — underscore how the hackers have quietly continued to pursue access to systems and data of organizations that hold value to the Russian government. “In most instances, post compromise activity included theft of data relevant to Russian interests,” the research notes. “In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments.” Mandiant is tracking at least two distinct clusters of hacking activity associated with the group — one (UNC2652) responsible for targeting diplomatic entities with phishing attacks and another (UNC3004) known for attacking governments and businesses through their third-party cloud providers.Doug Bienstock, incident response manager at Mandiant and one of the authors of the research, told SC Media that the new findings highlight two key insights about the actors.First, even amongst its peers in the Advanced Persistent Threat landscape, Nobelium actors regularly display best-in-class operational security and deploy an unusually diverse set of tools, tactics and procedures that allow them unique flexibility to infect its victims. Second, the threat actor has continued its theme of exploiting the relationship between victims and trusted third parties to break into systems and steal data.For instance, Mandiant has observed similar efforts by the group to target multiple cloud and managed service providers since 2020, and Bienstock told SC Media that this led to the compromise of anywhere between two to three dozen downstream customers as well.“The SolarWinds campaign was about who were the vendors you trust and all the different software in your environment, and this threat actor leveraged that one-to-many relationship pretty well,” Bienstock said in an interview. “When we fast forward to now and talking about the cloud service providers, that’s them again saying why spend a lot of effort targeting a dozen individual companies when I can instead target one company that can then get me into those dozen ones.”Bienstock said the other victims targeted were “generally” governments, consulting organizations and NGOs located in North America and Europe that set policy or help to set policy related to Russia, including think tanks.
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds