Russia flag on the screen with program code showing SolarWinds hackers targeting cloud providers

Mandiant: SolarWinds Hackers Still Active, Currently Targeting Cloud Providers

The Russia-based threat group thought to be behind the devastating SolarWinds breach is once again active and hunting new targets, according to leading cybersecurity firm Mandiant. The SolarWinds hackers are up to their old tricks with new cloud providers, and have reportedly already breached a number of companies.

SolarWinds hackers return for a similar campaign

The SolarWinds attack took place about two years ago, compromising a variety of United States federal government agencies. The attack has been attributed to groups backed by Russia’s Federal Security Service and Federal Intelligence Service, including the notorious “Cozy Bear” group that has been linked to attacks on world governments dating back to 2014.

The SolarWinds hackers took advantage of a chain of exploits, chiefly a set of vulnerabilities in Microsoft cloud services products. They focused on cloud providers that were resellers of Microsoft’s services and those making use of Microsoft Office 365 email and other office tools. The biggest of their targets was SolarWinds, a major provider of network and systems management tools that contracts with the US federal government.

A specific network monitoring product, Orion, was breached by the SolarWinds hackers. This provided them potential access to the networks of some 18,000 Orion customers via malicious elements inserted into legitimate software updates. The theory of Russian intelligence being involved is strongly backed by the fact that the SolarWinds hackers ignored the vast majority of these compromised victims, focusing instead on a relative handful of espionage targets including a variety of US federal agencies.

Researchers with Mandiant recently issued a blog post in which they warn that these same groups are at it again. Using a variety of very similar techniques, the SolarWinds hackers are suspected to be on an active campaign against cloud providers again. Mandiant says that the groups are once again using a stealth approach, looking to exfiltrate data and focusing on items of interest to the Russian government. The attackers are either directly targeting data of interest, or looking to compromise victims that could provide a path to other victims that hold such data.

Mandiant says that in 2021, “multiple” cloud providers have been compromised with the aim of getting into the networks of downstream customers. The research group says that the attacks often begin with the installation of information-stealing malware such as CRYPTBOT, which the former SolarWinds hackers are enticing new victims into by promising free cracked commercial software hosted at sketchy download sites.

They are also once again targeting Microsoft 365 environments, stealing session tokens to gain authentication. When the attackers have legitimate usernames and passwords but are stymied by multi-factor authentication, they are zeroing in on users that have it set up to call their phone number and have them push a button to confirm the access. Apparently, enough spammed requests to some of these users will eventually get them to push the button.

Cloud providers compromised as path of least resistance to targets

The overall approach is extremely similar to the one the SolarWinds hackers deployed a year ago; identify targets that are relying on services from vulnerable cloud providers, and hit vulnerabilities in those cloud providers as the quickest path to getting to them. The attackers do not seem interested at all in compromising all of the cloud provider’s customers, for example hitting all of them with ransomware at once; this appears to be an intelligence operation that they would prefer nobody notice is happening.

Mandiant also notes that the focus is once again on breaching American government agencies and their known contractors. This tracks with recent warnings from several other security outfits, most notably France’s National Cybersecurity Agency (ANSSI), claiming that private contractors in this general sphere have been targeted with phishing attacks in recent weeks. In total at least 14 companies have been compromised with at least 140 targeted.

Mandiant also says that the SolarWinds hackers are among the best in the business. They already had a top-shelf reputation when they pulled off high-profile political breaches in years past, but Mandiant says that the groups are constantly refining their approaches and adding new elements to their toolboxes. Researcher Doug Bienstock says that the speed with which the groups adapt to and overcome security changes is remarkable. The groups are also fastidious about covering their tracks and leaving no potential identifiable information or breadcrumbs to their location behind after attacks.

While the SolarWinds hackers have a narrow focus on surveilling entities of interest to the Russian government, it remains possible that more crude and profit-minded threat actors could follow in their footsteps. Successful breaches of cloud providers could be devastating if leveraged to pass ransomware to all of the service’s clients, as just one example.

Erich Kron, security awareness advocate at KnowBe4, has some thoughts for organizations dealing with this “new reality”: “Cyberwarfare is now simply a part of modern geopolitical life, so we cannot expect these attacks to ease up any time soon, especially from state-sponsored actors. These attacks will continue to escalate as techniques improve and more resources are allocated to cyberwarfare … Since many of these nation-states leverage social engineering and email phishing as the primary means of initial infiltration, organizations of all sizes would benefit greatly from a strong security awareness training program with a focus on changing the employees’ behavior and a program where users report suspected phishing emails to security staff.”