The Russian hacking group behind last year’s massive SolarWinds cyber attack sought access to US counter-intelligence policy, Covid-19 information and details on sanctions against Russia, a Microsoft report has found.
In late 2020 cyber raiders injected a security backdoor into network management software made by IT vendor SolarWinds. Roughly 18,000 entities installed the malicious update, allowing the attacking group to gain access to numerous companies and government agencies by initially compromising just one, in what is known as a supply chain attack.
Details of the threat actor’s objectives have remained scarce, with the Securities and Exchange Commission launching an inquiry in September to uncover the extent of corporate America’s exposure to the SolarWinds cyber strike.
A report published by Microsoft on Thursday detailed the information that the group behind the SolarWinds hack may have acquired. The primary goal, Microsoft said, was intelligence collection. There was “little evidence of destructive activity” not only during the SolarWinds attack but during other Russian-linked hacks.
The hacking group which carried out the SolarWinds attack, dubbed Nobelium by Microsoft, has been officially designated as an operation of the Russian Foreign Intelligence Service, or SVR, by US and UK intelligence agencies. The Kremlin has denied any involvement.
Despite the large number of compromised companies and agencies, Microsoft found that follow-up exploitation was limited to around 100 organisations.
After gaining initial access via backdoors planted by SolarWinds’ hijacked Orion update, Nobelium actors went on to conduct more targeted spear-phishing and password spray campaigns.
Government, NGOs, IT services and professional services sectors were the most targeted, Microsoft said. Nine federal agencies were breached in the attack, including the US Treasury and Commerce department.
The goal in targeting government entities was to gain policy insights, Microsoft said. The SolarWinds hackers also sought access to cybersecurity response policies, threat hunting techniques and offensive testing tools. The aim was to “improve countermeasures” and avoid detection during future espionage attacks.
It was also reported that the SVR stole software signing certificates, source code and CSP accounts.
The true extent and precise details of accessed information is not clear. Microsoft said it came to these conclusions based on the victim accounts that Nobelium accessed.
“Over the past year, Russia-based activity groups have solidified their position as acute threats to the global digital ecosystem by demonstrating adaptability, persistence, a willingness to exploit trusted technical relationships, and a facility with anonymisation and open-source tools that make them increasingly difficult to detect and attribute,” the report stated.
Microsoft added that Russian hacking groups have shown a “high tolerance for collateral damage”.
In June, Nobelium targeted Microsoft and its customers using password spray and brute-force attacks to gain entry into corporate systems.
Microsoft was separately targeted by Chinese state-linked hacking group Hafnium in early 2021. The threat actors used zero-day exploits to target its on-premises Exchange Server tech. Despite its exposure in these attacks, Microsoft ranks top out of 62 companies for enterprise security, according to GlobalData’s cybersecurity thematic scorecard.
This week Google said it blocked a phishing campaign conducted by Russian threat actors APT28, also known as Fancy Bear. The campaign targeted approximately 14,000 journalists, NGO and think tank members from around the world.
The attacks against SolarWinds and Microsoft, along with attacks on physical infrastructure including the Colonial Pipeline and meat processor JBS, have catapulted cybersecurity high up the agenda of the Biden administration.