The actors behind the SolarWinds campaign have been leveraging “top notch operational security” and tradecraft and a diverse array of hacking techniques to successfully target governments, businesses and cloud provider around the world, according to new research from Mandiant.
Researchers at the threat intelligence firm say they are now tracking multiple clusters of hacking activity that trace back to Nobelium, the name given by Microsoft to the suspected Russian intelligence outfit that leveraged a corrupted update in SolarWinds IT management software last year to infect more than 100 of its customers, including at least nine federal agencies.
The new findings — released almost a year to the day since Mandiant (then FireEye) revealed the original SolarWinds compromise — underscore how the hackers have quietly continued to pursue access to systems and data of organizations that hold value to the Russian government.
“In most instances, post compromise activity included theft of data relevant to Russian interests,” the research notes. “In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments.”
Mandiant is tracking at least two distinct clusters of hacking activity associated with the group — one (UNC2652) responsible for targeting diplomatic entities with phishing attacks and another (UNC3004) known for attacking governments and businesses through their third-party cloud providers.
Doug Bienstock, incident response manager at Mandiant and one of the authors of the research, told SC Media that the new findings highlight two key insights about the actors.
First, even amongst its peers in the Advanced Persistent Threat landscape, Nobelium actors regularly display best-in-class operational security and deploy an unusually diverse set of tools, tactics and procedures that allow them unique flexibility to infect its victims. Second, the threat actor has continued its theme of exploiting the relationship between victims and trusted third parties to break into systems and steal data.
For instance, Mandiant has observed similar efforts by the group to target multiple cloud and managed service providers since 2020, and Bienstock told SC Media that this led to the compromise of anywhere between two to three dozen downstream customers as well.
“The SolarWinds campaign was about who were the vendors you trust and all the different software in your environment, and this threat actor leveraged that one-to-many relationship pretty well,” Bienstock said in an interview. “When we fast forward to now and talking about the cloud service providers, that’s them again saying why spend a lot of effort targeting a dozen individual companies when I can instead target one company that can then get me into those dozen ones.”
Bienstock said the other victims targeted were “generally” governments, consulting organizations and NGOs located in North America and Europe that set policy or help to set policy related to Russia, including think tanks.
“Top notch” tradecraft
While APTs are known for leveraging high-end hacking capabilities, many often prefer to use well-worn playbooks and toolsets for compromising victims. What makes Nobelium actors different is the wide range or tools, methods and attack vectors they use to infect victims.
For initial access, the group can target a victim’s cloud provider or using stolen session tokens to break into their Microsoft 365 environment. They use tools like RDP to pivot between systems and locate account credentials, forge SAML tokens and disable logging that could reveal their presence. Custom PowerShell scripts are used to copy data and bypass network security filtering layers between cloud service providers and their customers. They can also exploit Microsoft Exchange to authenticate and impersonate email accounts.
More recently, they have been observed leveraging a custom downloader written in C programming called CEELOADER that can deploy shell payloads and includes an obfuscation tool which hides in between a mess of junk code and uses false calls to the Windows API to stay hidden from network monitors.
Within victim environments, Nobelium used separate accounts to carry out different functions, like reconnaissance and lateral movement. Mandiant said this significantly reduces the chances that detection of a single compromised account could burn the whole operation.
That versatility makes Nobelium “an adaptable and evolving threat that must be closely studied” by defenders, the report notes. Bienstock said even amongst other state-level hacking groups, this group — which U.S. officials have attributed to Russia’s Foreign Intelligence Service — stands out.
“When we perform incident response and start looking at threat actors, they generally have a toolbox of their techniques and for a lot of threat actors that toolbox can stay pretty static or maybe they’ll add a new tool once every so often, or if there’s a major vulnerability in some technology they’ll go ahead and start using that,” said Bienstock. “This threat actor though, they are almost continuously adding to new tools to their toolbox and slightly changing what they already have in there, which makes them a very unique and challenging group to investigate.”
Further underscoring the global reach of the group, the same day Mandiant released its research, the French government announced Nobelium was likely behind an ongoing phishing campaign since February 2021 that used compromised email accounts from French entities to send “weaponized emails” to foreign institutions, some of which were later used to send spoofed emails back to public organizations in France.