One year after the discovery of the 2021 SolarWinds supply chain compromise, security researchers report two clusters of suspected Russian attack activity targeting global businesses and governments. Both are associated with the group behind the SolarWinds attack campaign.
The findings come from Mandiant, which has been tracking the activity in 2021 and reports “an adaptable and evolving threat” using novel tactics, techniques, and procedures (TTPs) to breach victims, collect data, and move laterally. The attackers associated with the SolarWinds incident have breached multiple entities, including cloud service providers (CSPs), and they continue to evolve.
Mandiant tracks the two clusters of activity as UNC3004 and UNC2652; it says both are linked to the group it tracks as UNC2452, also referred to as Nobelium by Microsoft.
“We are confident in saying that these clusters — maybe it means there are different teams or units, we don’t really know — they are all associated with [the] SolarWinds threat actor,” says Doug Bienstock, manager of incident response at Mandiant, in an interview with Dark Reading.
In most cases, post-compromise activity included theft of data relevant to Russian interests, Mandiant researchers wrote in a blog post. In some, the theft seemed primarily meant to create routes to access other victim environments. Targets included NGOs, government entities, and consulting organizations that are involved with, or could align with, Russian interests. So far, Mandiant is aware of two to three dozen targets compromised by this activity in 2021.
It appears the attackers’ goals varied depending on the target. When they accessed service provider environments, and downstream customers to a lesser degree, they were interested in credentials that would allow continued high-level permissions in both of those environments, Bienstock says. When targeting service providers, they sought credentials that would allow them to move from the service provider’s network down into their customers’ networks.
Once successfully in a customer environment, they were after confidential data that aligned with Russian interests or could help them further those interests, Bienstock explained.
“Generally, that data, in most organizations now, is going to be in the form of email and email-adjacent, like SharePoint or OneDrive files,” he adds. “We’re largely seeing them target that type of data and individuals at the organizations who may be involved with those Russian-related subjects.”
Inside the Attackers’ Toolbox
The activity Mandiant disclosed today goes back to the first quarter of this year and has many similarities to SolarWinds’ methods, he notes. Attackers continue to display a high skill level in their operational security and take several steps to hide their activities and blend in with users’ normal activities, making attribution and tracking their infrastructure difficult for researchers.
“They also show a particular deftness at being able to quickly research techniques, iterate on them, and then implement them in the wild, and they continue to target Microsoft 365 using some fairly advanced methodologies,” Bienstock continues.
Their operational security, and the pace at which they can grow their toolbox of techniques, are two traits that stood out to him.
In at least one case, the attacker compromised a local VPN account, then used it to conduct recon and gain access to internal resources in the victim CSP’s environment. This allowed them to compromise internal domain accounts. In another campaign, attackers were able to access a victim’s Microsoft 365 environment using a stolen session token. It was later discovered some systems had been infected with info-stealer Cryptbot before the token was generated.
Other techniques include the compromise of a Microsoft Azure AD account within a CSP’s tenant in one attack; in another, attackers used RDP to pivot between systems that had limited Internet access. The attackers compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands in target networks.
Attackers are also making use of a new bespoke downloader dubbed Ceeloader, which decrypts a shellcode payload to execute in memory on a target device. The downloader is derived from VaporRage, a downloader Microsoft has previously discussed. Ceeloader is used during the crucial stage of an intrusion when attackers have a toehold in the environment but need to download additional malware, making this a good opportunity to detect and prevent, Bienstock says.
“This threat actor, they seem to be very choosy over when they’re going to develop their own malware and when they’ll use off-the-shelf tooling,” he adds.
On the operational security front, Mandiant found attackers using residential IP address ranges to authenticate into victim environments. It’s believed this access was obtained through mobile and residential IP address proxy providers, which proxy traffic through mobile devices by bundling a proxy application in return for free applications and/or services.
“The threat actor has started using these services because they know that defenders, investigators treat domestic ISPs as pretty legitimate activity — especially more so if that activity comes from a geography where your employees are based,” Bienstock explains. “That shows me they are continuing to refine their ability to blend in with normal business activities.”