Federal authorities say the Treasury and Commerce departments were breached by hackers by exploiting a backdoor implanted in a popular network surveillance app. The United States points to Moscow as the likely culprit for the break-ins. But they’re not pointing the finger at the loud, aggressive and happy military hackers of the trolls we’ve known in the years since their meddling in the 2016 election.
Instead, U.S. officials told reporters that a more stealthy and sophisticated crew – the Kremlin Hack Team A – is to blame, potentially signaling a return to the type of high-level break-ins for which the group rose to fame in 2015.
These officials claim that Russian Foreign Intelligence Service hackers known as “Cozy Bear” or APT 29 are now prime suspects for a breach of SolarWinds Orion software, which causes governments and businesses around the world to scan their networks looking for signs of intrusion. .
“It sounds like a very well executed and painstaking operation, but at the moment it is too early to tell how big the compromise is,” Matt Tait, former information security specialist for the UK’s news agency. electromagnetic intelligence, GCHQ. “Hopefully when the antivirus vendors, and Microsoft in particular, start looking for signs of large-scale intrusion, we’ll have a much better idea of the severity and scale of the operation. “
Russian Foreign Intelligence Service, or SVR, hackers are known for their less visible operations that focus on covert intelligence gathering, unlike military hackers who have spent the last few years smashing things and making headlines. .
As Russian GRU hackers shut down power systems in Ukraine, shattered Ukrainian networks with the NotPetya ransomware attack, and tracked down Hillary Clinton with stolen emails to the Democratic National Committee and its campaign chair, operators of the APT 29 were so hard to notice that some even speculated that they could have speeded up operations after the public learned that Dutch intelligence had successfully infiltrated their network in 2015.
Cozy Bear, however, had always been active, rallying against foreign diplomatic installations with more stealthy and sophisticated professions.
SVR hackers raped the Democratic National Committee alongside the GRU in the 2016 election, but in a 2019 filing in its lawsuit against the Russian government, the DNC claimed the SVR hackers attempted a repeat during the 2018 mid-term. Shortly before the election, Democratic officials wrote in an amended complaint, “consistent with a spear campaign that leading cybersecurity experts have linked to Cozy Bear.”
More recently, the United States, United Kingdom and Canada issued a joint warning that the operators of Cozy Bear had targeted major pharmaceutical companies in the three countries “with the intent to steal information and related intellectual property. COVID-19 vaccine development and testing. “
Experts who were fortunate enough to analyze the SolarWinds software breach wrote that the operation shows an impressive degree of stealth and cunning.
It is not yet known how they managed to do this, but the hackers embedded a malicious update file into SolarWinds’ Orion network monitoring program. When the update file is installed on customer networks, the malicious file remains silent for two weeks. After its period of inactivity, the malware goes to a command and control server for instructions on what to do next, according to a technical assessment written by cybersecurity firm FireEye – which was affected by the same. backdoor and lost proprietary data in the breach.
When activated, the malware displays “significant operational security” and blends into normal network activity, making it more difficult to detect security software when it spies on its host network, according to FireEye.
This type of breach, known as a supply chain attack, is particularly difficult for cybersecurity officials to deal with because it undermines the implicit trust of customers that products and updates from well-known suppliers are safe to use.
The software is widely used in government and the private sector, and company officials say as many as 18,000 of SolarWinds’ 300,000 customers may have downloaded corrupted versions of the software, according to an SEC filing.
SolarWinds told the regulatory agency that although its software was compromised at least as early as March 2020, it believes the attack was “intended to be a narrow, extremely targeted, and manually executed attack” against a group of targets. more selective.
FireEye wrote that it had observed malware running on computers in “North America, Europe, Asia and the Middle East.”
FireEye was the first known victim of the SolarWinds vulnerability and in a statement released last week CEO Kevin Madnia said company officials observed hackers exploit their access to steal software tools used by FireEye. to simulate foreign hackers and test customer network security.
The GRU’s brazen operations have absorbed much of the West’s attention in recent years. The involvement of SVR hackers in such a sophisticated break-in against federal agencies and one of the world’s most capable cybersecurity firms, if proven, is an unwelcome reminder that the reach of cyber threats originating in Russia remains wider. and more difficult to find.
#Kremlin #Hacker #Team #bad #news #rest