Mandiant: SolarWinds Attackers Continue to InnovateSuspected Russian Group Hitting Cloud, Managed Service Providers
A suspected Russian group blamed for the SolarWinds compromise in 2020 is continuing to innovate and has been infiltrating technology services and resellers, according to a new report from Mandiant.
Mandiant says the group, which it calls UNC2452 and Microsoft calls Nobelium, practices "top-notch operational security and advanced tradecraft." Mandiant says the group is "one of the toughest actors we have encountered" (see: Nobelium Makes Russia Leader in Cyberattacks).
"However, they are fallible, and we continue to uncover their activity and learn from their mistakes," Mandiant says in a report released Monday. "Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead."
The U.S. government has connected the group to Russia's foreign intelligence services. Mandiant says it has been seeing clusters of activity likely related to UNC2452 that is targeting multiple cloud solution providers and managed service providers. The attackers are using credentials likely obtained from an information-stealer malware campaign by a third-party actor to gain initial access to organizations.
"We have seen this threat actor ultimately target government entities, consulting organizations and NGOs in North America and Europe who directly have data of interest to the Russian government," says Douglas Bienstock, manager, consulting at Mandiant.
Bienstock says that the adversaries in some cases first compromised technology solutions, services and reseller companies in North America and Europe that have access to targets that are of interest to them.
The researchers discovered that post-compromise activities by these groups included the theft of data relevant to Russian interests. They also used the stolen data to create new routes to access other victim environments.
"The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts," according to Mandiant's report.
Researchers identified a Cobalt Strike Beacon - a backdoor written in C/C++ that is part of the Cobalt Strike framework - that supports backdoor commands, such as shell command execution, file transfer, file execution and file management.
Beacon is also capable of capturing keystrokes and screenshots as well as acting as a proxy server.
"Beacon may also be tasked with harvesting system credentials, port scanning and enumerating systems on a network. Beacon communicates with a command and control server via HTTP(S) or DNS," the researchers write.
Another custom-developed malware dubbed Ceeloader, written in the C programming language, supports shellcode payloads that are executed in memory.
"An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling," the researchers say.
How the malware is distributed is still unknown.
The researchers observed multiple instances in which threat actors compromised service providers and used privileged access and credentials belonging to these providers to compromise further downstream customers.
One instance observed by Mandiant researchers included a threat actor compromising a local VPN account and using this VPN account to perform reconnaissance and gain access to internal resources within the victim's cloud service provider environment. This led to the compromise of internal domain accounts.
In another campaign, Mandiant observed the threat actors gaining access to the victim organization’s Microsoft 365 environment using a stolen session token.
The researchers assess with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware. The tokens were used via public VPN providers to authenticate to the target’s Microsoft 365 environment.
Mandiant researchers say that they found evidence that the actors used Remote Desktop Protocol to pivot between systems that had limited internet access and used several devices to execute native Windows commands.
There is evidence of the threat actors compromising several accounts for reconnaissance, while the others were reserved for lateral movement within the organization, Mandiant reports.
"Mandiant identified attempts to compromise multiple accounts within an environment and kept use of each account separated by function. This reduced the likelihood that detecting one activity could expose the entire scope of the intrusion," the researchers write.
The researchers previously reported that the threat actors used strict operational security for a specific account or systems in a victim environment for higher-risk activities, such as data theft and large-scale reconnaissance.
Once they enter an environment, the threat actors pivot to on-premises servers and crawl through them for technical documentation and credentials. Mandiant says that helps them to identify a route to gain access to their ultimate target’s network.
"This reconnaissance shows that the threat actor had a clear end goal in mind and was able to identify and exploit an opportunity to obtain required intelligence to further their goals," the researchers say.
The Mandiant researchers also observed the threat actors avoid detection by deleting system logging within the victim’s environment. The threat actors also disabled SysInternals Sysmon and Splunk forwarders on victim machines that they accessed via Microsoft Remote Desktop.
Mandiant also saw the threat actors use residential IP address ranges to authenticate to victim environments. By doing so, the source logon IP address will belong to a major internet service provider that serves customers in the same country as the victim environment and may be less likely to raise suspicion.
The researchers also say that they identified the threat actors hosting second-stage payloads as encrypted blobs on legitimate websites running WordPress, and in multiple campaigns researchers witnessed the use of TOR, Virtual Private Servers - or VPS, and public Virtual Private Networks - or VPNs - to access victim environments.