Report says Russian hackers haven't eased spying efforts
The elite Russian state hackers behind last year’s massive SolarWinds cyberespionage campaign hardly eased up this year, managing plenty of infiltrations of U.S. and allied government agencies and foreign policy think tanks with consummate craft and stealth
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.The elite Russian state hackers behind last year's massive SolarWinds cyberespionage campaign hardly eased up this year, managing plenty of infiltrations of U.S. and allied government agencies and foreign policy think tanks with consummate craft and stealth, a leading cybersecurity firm reported Monday.
On the anniversary of the public disclosure of the SolarWinds intrusions, Mandiant said the hackers associated with Russia's SVR foreign intelligence agency continued to steal data “relevant to Russian interests” with great effect using novel, stealthy techniques that it detailed in a mostly technical report aimed at helping security professionals stay alert.
It was Mandiant, not the U.S. government, that disclosed SolarWinds.
While the number of government agencies and companies hacked by the SVR was smaller this year than last, when some 100 organizations were breached, assessing the damage is difficult, said Charles Carmakal, Mandiant's chief technical officer. Overall, the impact is quite serious. “The companies that are getting hacked, they are also losing information.”
“Not everybody is disclosing the incident(s) because they don’t always have to disclose it legally,” he said, complicating damage-assessment.
The Russian cyber spying unfolded, as always, mostly in the shadows as the U.S. government was consumed in 2021 by a separate, eminently “noisy” and headline-grabbling cyber threat — ransomware attacks launched not by nation-state hackers but rather criminal gangs. As it happens, those gangs are largely protected by the Kremlin
The Mandiant findings follow an October report from Microsoft that the hackers, whose umbrella group it calls Nobelium, continue to infiltrate the government agencies, foreign policy think tanks and other organizations focused on Russian affairs through the cloud service companies and so-called managed services providers on which they increasingly rely. Mandiant tips its hat to Microsoft's threat researchers in the report.
Mandiant researchers said the Russian hackers “continue to innovate and identify new techniques and tradecraft” that lets them linger in victim networks, hinder detection and confuse attempts to attribute hacks to them. In short, Russia's most elite state-backed hackers are as crafty and adaptable as ever.
Mandiant did not identify individual victims or describe what specific information may have been stolen but did say unspecified “diplomatic entities" that received malicious phishing emails were among the targets.
Often, the researchers say, the hackers' path of least resistance to their targets were cloud-computing services. From there, they used stolen credentials to infiltrate networks. The report describes how in one case they gained access to one victim's Microsoft 365 system through a stolen session. And, the report says, the hackers routinely relied on advanced tradecraft to cover their tracks.
One clever technique discussed in the report illustrates the ongoing cat-and-mouse game that digital espionage entails. Hackers set up intrusion beachheads using IP addresses, a numeric designation that identifies its location on the internet, that were physically located near an account they are trying to breach — in the same address block, say, as the person's local internet provider. That makes it highly difficult for security software to detect a hacker using stolen credentials posing as someone trying to access their work account remotely.
The SolarWinds hack exploited vulnerabilities in the software supply-chain system and went undetected for most of 2020 despite compromises at a broad swath of federal agencies — including the Justice Department — and dozens of companies, primarily telecommunications and information technology providers and including Mandiant and Microsoft.
The hacking campaign is named SolarWinds after the U.S. software company whose product was exploited in the first-stage infection of that effort. The Biden administration imposed sanctions last April in response to the hack, including against six Russian companies that support the country's cyber efforts.