Russian actors behind SolarWinds attack hit global businesses, governments
One year after the discovery of the 2021 SolarWinds supply chain compromise, security researchers report two clusters of suspected Russian attack activity targeting global businesses and governments. Both are associated with the group behind the SolarWinds attack campaign.
The findings come from Mandiant, which has been tracking the activity in 2021 and reports “an adaptable and evolving threat” using novel tactics, techniques, and procedures (TTPs) to breach victims, collect data, and move laterally. The attackers associated with the SolarWinds incident have breached multiple entities, including cloud service providers (CSPs), and they continue to evolve.
Mandiant tracks the two clusters of activity as UNC3004 and UNC2652; it says both are linked to the group it tracks as UNC2452, also referred to as Nobelium by Microsoft.
“We are confident in saying that these clusters — maybe it means there are different teams or units, we don’t really know — they are all associated with [the] SolarWinds threat actor,” says Doug Bienstock, manager of incident response at Mandiant, in an interview with Dark Reading.
In most cases, post-compromise activity included theft of data relevant to Russian interests, Mandiant researchers wrote in a blog post. In some, the theft seemed primarily meant to create routes to access other victim environments. Targets included NGOs, government entities, and consulting organizations that are involved with, or could align with, Russian interests. So far, Mandiant is aware of two to three dozen targets compromised by this activity in 2021.
It appears the attackers’ goals varied depending on the target. When they accessed service-provider environments, and downstream customers to a lesser degree, they were interested in credentials that would allow continued high-level permissions in both of those environments, Bienstock says. When targeting service providers, they sought credentials that would allow them to move from the service provider’s network down into their customers’ networks.
Once successfully in a customer environment, they were after confidential data that aligned with Russian interests or could help them further those interests, Bienstock explained.
To read the complete article, visit Dark Reading.