The feds say the Treasury and Commerce departments have been breached by hackers from leveraging a backdoor planted in a popular network monitoring app. The U.S. is pointing at Moscow as the likely culprit behind the break-ins. But they’re not pointing at the loud, aggressive, and troll-happy military hackers we’ve come to know in the years since they meddled in the 2016 election.
Instead, U.S. officials have told reporters that a stealthier, more sophisticated crew—the A-Team of Kremlin hacking—is to blame, potentially signaling a return to the kind of high profile break-ins that the group became notorious for in 2015.
These officials say hackers from Russia’s Foreign Intelligence Service, referred to as “Cozy Bear” or APT 29, are now the top suspects for a breach in the SolarWinds Orion software, which has governments and corporations around the world scouring their networks for signs of intrusion.
“This looks like a very well executed and careful operation but at the moment it is too early to say what the scale of the compromise is,” Matt Tait, a former information security specialist for the U.K.’s signals intelligence agency, GCHQ. “Hopefully as anti-virus vendors, and Microsoft in particular, start looking for signs of intrusion at scale we'll have a much better picture of how severe and extensive the operation actually went.”
Hackers from Russia’s Foreign Intelligence Service, or SVR, are known for their less visible operations that focus on clandestine intelligence collection, in contrast to the military hackers who’ve spent the past years breaking things and grabbing headlines.
While Russian hackers from the GRU have been shutting down electrical systems in Ukraine, bricking Ukrainian networks with the NotPetya ransomware attack, and trolling Hillary Clinton with stolen emails from the Democratic National Committee and her campaign chair, APT 29 operators were so hard to notice that some even speculated they might’ve ramped down operations after the public learned that Dutch intelligence had managed to infiltrate their network in 2015.
Cozy Bear, however, had been active all along, collecting against foreign diplomatic facilities with more stealthy and sophisticated tradecraft.
Hackers from the SVR breached the Democratic National Committee alongside the GRU during the 2016 election but in a 2019 filing in its lawsuit against the Russian government, the DNC claimed that SVR hackers had attempted a repeat performance during the 2018 midterms. Shortly before the election, Democratic officials wrote in an amended complaint, “consistent with a spear-phishing campaign that leading cybersecurity experts have tied to Cozy Bear.”
More recently, the U.S., U.K., and Canada issued a joint advisory warning that Cozy Bear operators had targeted top pharmaceutical companies in the three countries “with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.”
Experts who’ve had the chance to analyze the breach into SolarWinds software have written that the operation shows an impressive degree of stealth and cunning.
It’s unclear yet how they managed to do it but hackers embedded a malicious update file inside of SolarWinds’ Orion network monitoring program. When the update file is installed on customers’ networks, the malicious file stays quiet for two weeks. After its dormant period, the malware reaches out to a command and control server to receive instructions about what to do next, according to a technical assessment written by cybersecurity company FireEye—which was was hit by the same backdoor and lost some proprietary data in the breach.
When activated, the malware displays “significant operational security” and blends in with normal network activity, making it harder for security software to detect as it spies on its host network, according to FireEye.
This kind of breach, known as a supply chain attack, is particularly difficult for cybersecurity officials to address because it undermines the implicit trust customers have that products and updates from known suppliers are safe to use.
The software is widely used in government and the private sector and company officials say as many as 18,000 of SolarWinds’ 300,000 customers may have downloaded corrupted versions of the software, according to a filing with the SEC.
SolarWinds told the regulatory agency that, while its software has been compromised at least as early as March 2020, it believes the attack was “intended to be a narrow, extremely targeted, and manually executed attack” against a more selective group of targets.
FireEye wrote that it had observed the malicious software running on computers in “North America, Europe, Asia and the Middle East.”
FireEye was the first known victim of the SolarWinds vulnerability and in a statement released last week, CEO Kevin Madnia said that the company officials had observed hackers leveraged their access to steal software tools FireEye uses to simulate foreign hackers and test customers’ network security.
The brazen operations of the GRU have soaked up much of the West’s attention over the past few years. The involvement of SVR hackers in such a sophisticated break-in against both federal agencies and one of the world’s most capable cybersecurity companies, if proven, is an unwelcome reminder that the scope of cyber threats from Russia remains broader and harder to find.