Several U.S. agencies have released a report outlining the techniques used by the Russian hackers behind the SolarWinds compromise and others, which includes targeting cloud resources to reduce the likelihood of detection and monitoring IT staff to collect information on victim networks.
The FBI, Department of Homeland Security and Cybersecurity and Infrastructure Security Agency last week released a report on Russian Foreign Intelligence Service (SVR) cyber actors, saying the group is continuing to target government networks, political groups and IT companies.
The agencies say the attackers’ use of the modified SolarWinds products as an initial access vector is a departure from their usual techniques. Findings also suggest that once inside the network, the actors behaved similarly to previous attacks attributed to them, including moving through networks to obtain email accounts and monitoring IT staff to collect useful information about the networks and determine if victims were aware of detection.
According to the agencies, 2018 marked a turning point for the hacking group’s techniques.
Beginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend. Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.
The agencies say the Russian hacking group uses several common techniques to gain unauthorized access into victim networks, including password spraying and leveraging zero-day vulnerabilities.
The agencies called attention to one 2018 compromise of a large network in which password spraying was used to identify a weak password for an administrative account. SVR cyber actors attempted a small number of passwords at infrequent intervals to avoid detection, and they used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.
The organization unintentionally exempted the compromised administrator’s account from multi-factor authentication requirements. With access to the administrative account, the actors modified permissions of specific e-mail accounts on the network, allowing any authenticated network user to read those accounts.
The actors also used the misconfiguration for compromised non-administrative accounts. That misconfiguration enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication. The FBI suspects this was achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple’s mail client and old versions of Microsoft Outlook. After logging in as a non-administrative user, the actors used the permission changes applied by the compromised administrative user to access specific mailboxes of interest within the victim organization.
While the password sprays were conducted from many different IP addresses, once the actors obtained access to an account, that compromised account was generally only accessed from a single IP address corresponding to a leased virtual private server (VPS). The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization.
During the period of their access, the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts.
The agencies also highlighted a zero-day vulnerability exploit from 2019 in which SVR exploited a vulnerability against a Citrix VPN appliance, exposing user credentials to gain access to victim networks.
The actors worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service.
Following initial discovery, the victim attempted to evict the actors. However, the victim had not identified the initial point of access, and the actors used the same VPN appliance vulnerability to regain access. Eventually, the initial access point was identified, removed from the network, and the actors were evicted. As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity.
Read the report for recommendations and mitigations.