SolarWinds Hackers Have New Methods for Mass Attacks

Nobelium, the group behind the SolarWinds attack, still has a large arsenal of advanced hacking capabilities at its disposal. This is the conclusion of Mandiant’s security specialists in a recent study. The danger of these -probably state-backed- hackers has not yet passed.

A year ago, the Nobelium hackers managed to hack into the American security specialist SolarWinds. Subsequently, many customers of this security specialist were hacked, about 18,000, including Microsoft and also the US government. This with all its consequences.

Further investigation into the background of the hackers revealed that the Nobelium hackers are suspected of receiving aid from a country. This is probably Russia.

Nobelium is best known for its advanced tactics, techniques and procedures, also known as TTP. Instead of attacking their victims one by one, they prefer to pick one company that serves multiple customers. Via a hack on the latter company, the hackers look for a kind of ‘master key’ that then simply ‘opens’ the doors to the customers.

Research Mandiant

Mandiant’s research shows that Nobelium, and the two hacker groups UNC3004 and UNC2652 that are part of this hacking conglomerate, have further perfected their TTP activities. Especially for attacks on cloud vendors and MSPs to reach even more businesses.

New techniques of the hackers are the use of credentials obtained through info-stealer malware campaigns of other hackers. With this, the Nobelium hackers sought the first access to victims. The hackers also used accounts with Application Impersonation privileges to “harvest” sensitive email data. The hackers also used both IP proxy services for consumers and new local infrastructure to communicate with affected victims.

Other techniques

They also used new TTP capabilities for bypassing security restrictions in various environments, including virtual machines, to determine internal routing configurations. Another tool used was the new CEELOADER downloader. The hackers even managed to penetrate active directories of Microsoft Azure accounts and steal ‘master keys’ that give access to directories of customers of an affected party. Finally, the hackers managed to abuse multi-factor authentication using push notifications on smartphones.

The Mandiant researchers noticed that the hackers were mainly interested in data that was important to Russia. In addition, in some cases data was stolen that the hackers had to give new entrances to attack other victims.

Nobelium persistent problem

The report concludes that Nobelium’s attacks will not stop anytime soon. According to the researchers, the hackers continue to improve their attack techniques and skills to stay longer within victims’ networks, avoid detection and frustrate recovery operations.