Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.
Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.
One of the things that made Nobelium so formidable was the creativity of its TTPs, hacker lingo for tactics, techniques, and procedures. Rather than breaking into each target one by one, the group hacked into the network of SolarWinds and used the access, and the trust customers had in the company, to push a malicious update to roughly 18,000 of its customers.
Almost instantly, the hackers could intrude into the networks of all of those entities. It would be similar to a burglar breaking into a locksmith’s premises and obtaining a master-key that opened the doors of every building in the neighborhood, sparing the hassle of having to jimmy open each lock. Not only was Nobelium’s method scalable and efficient, it also made the mass compromises much easier to conceal.
Mandiant’s report shows that Nobelium’s ingenuity hasn’t wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack—one called UNC3004 and the other UNC2652—have continued to devise new ways to compromise large numbers of targets in an efficient manner.
Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers.
“This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security,” Monday’s report said. “The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise.”
The advanced tradecraft didn’t stop there. According to Mandiant, other advanced tactics and ingenuities included:
- Use of credentials stolen by financially motivated hackers using malware such as Cryptbot, an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn’t use a hacked service provider.
- Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with “application impersonation privileges,” which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
- The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
- Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
- Gaining access to an active directory stored in a target’s Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what’s known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
- Use of a custom downloader dubbed Ceeloader.