It has been nearly a year since a coalition of IT and cybersecurity providers discovered a highly sophisticated Russian-aligned hacking campaign that most notably leveraged IT management software from SolarWinds to conduct espionage on U.S. agencies, tech companies and other high-value organizations. The IT industry has learned a lot since then, including the increasing skill with which threat actors operate, the sophistication of modern cybercrime organizations and the need to better secure the IT supply chain.
Cybersecurity firm Mandiant, formerly FireEye, was on the front lines of disclosing information about that campaign, which also impacted the company itself as some of its tools were stolen by the hackers. Even though the world now knows about this threat actor and its penchant for compromising the IT supply chain, that didn’t stop the group from conducting a range of other attacks since then, according to new information disclosed in a new Mandiant blog.
This particular hacking group is widely considered to be the most advanced threat actor in recent memory, with Mandiant’s blog noting the group’s high level of skill.
“These suspected Russian actors practice top-notch operational security and advanced tradecraft,” reads the blog, penned by security researchers. “However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead.”
The company said it is continuing to track two “clusters” of Russian activity believed to be associated the SolarWinds hackers. Microsoft calls the group Nobelium, while Mandiant refers to them as UNC2452.
The cybersecurity community – including those in the U.S. government – believe the group is aligned with the Russian government due to theft of data relevant to Russian interests.
In the long and detailed blog, Mandiant describes recent activity of the group, which includes the compromise of other technology solutions, services and reseller companies since 2020.
That includes multiple instances of the group compromising a cloud service provider and using that privileged access and credentials to target downstream customers. In one case, the group compromised a local VPN account and used it to gain further access to internal resources within a service provider’s environment, leading to the compromise of internal domain accounts.
The threat actor also leverages info-stealer malware to steal session tokens which were then used via public VPN providers to authenticate to the target’s Microsoft 365 environment.
The group has also been observed abusing multi-factor authentication push notifications, making multiple requests in short succession until the end user accepts the authentication.
However, that’s just what the group did to gain initial access to victim networks, according to Mandiant’s blog.
The threat actor continued to leverage cloud service providers for its post-compromise activity, including compromising an Azure AD account within a service provider’s tenant that allowed it to use the Admin on Behalf Of feature. That gave the group privileged access to Azure subscriptions in customer tenants used to host and manage downstream customer systems.
According to Mandiant, the group also used remote desktop protocol (RDP) to pivot between systems that had limited internet access and access other devices to executive native Windows commands.
The group was also observed leveraging the Azure AD Connect configuration, associated AD service accounts and the key material used to encrypt service account credentials to forge a SAML token used to bypass multi-factor authentication and conditional access policies.
The cybersecurity firm says the threat actors also used compromised privileged accounts, SMB, remote WMI, remote scheduled tasks registration and PowerShell to execute commands within victim networks.
Mandiant also says the Russian hacking collective leveraged accounts with Application Impersonation privileges to harvest sensitive mail data, uses both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims, and other novel tools and techniques to bypass security restrictions.
For remediation tips and indicators of compromise, consult Mandiant’s blog and a whitepaper on hardening strategies to defend against this particular actor.