Bioinformatics is essential for the management of data in modern biology and medicine. By finding more secure solutions we will be creating greater opportunity and more efficiency in medical research. ~Audrey Bentley
Bioinformatics is essential for the management of data in modern biology and medicine. By finding more secure solutions we will be creating greater opportunity and more efficiency in medical research. ~Audrey Bentley
Associated Group Names for APT 29: NOBELIUM, Cozy Bear, StellarParticle, Dark Halo, The Dukes, UNC 2452**, Silver Fish, CozyDuke
*Mandiant began tracking APT 29 in 2014.
**Mandiant was able to gather enough evidence to determine that the threat group being tracked as “UNC 2452”, in regards to the SolarWinds compromise in 2020, is indeed APT 29.
SolarWinds is a major software company headquartered in Texas. They provide system management tools for network & infrastructure monitoring and various other technical services to hundreds of thousands of organizations around the world. One of their products called Orion, is an IT performance monitoring system. This was the tool that was breached in the attack. The breach was discovered in December of 2020 by FireEye. They also identified the backdoor used to gain access to its systems through SolarWinds as “Sunburst.” Even though the breach was discovered in December of 2020, the attackers actually gained access to the SolarWinds systems in September of 2019. It is crazy to think the attackers had at least 14 months of unbridled access (the industry standard is between 3 & 4 months). So why did it take so long? One reason is the hackers took many complex series of actions to mask their tracks, for instance, before Sunburst even attempts to connect out to its command-and-control server the malware executes a number of inspections to make sure no antimalware or any forensic analysis tools are running.
Affected Orgs Included: Microsoft, Intel, Cisco, Deloitte, and FireEye. As well as: Homeland Security, the State Department, Commerce & Treasury Department.
The SolarWinds hackers (who would later be identified as APT 29) compromised a digitally signed SolarWinds Orion network monitoring component, opening a backdoor into the networks of thousands of SolarWinds enterprise and government customers.
A quick timeline of the hack:
September 2019: The threat actors were able to gain unlawful access to the SolarWinds network.
October 2019: The cyber criminals begin to test initial code injection into the program Orion.
February 2020: Malicious code (known as Sunburst) is then injected into Orion.
March 2020: SolarWinds start sending out Orion software updates with that contain hacked code (unbeknownst to them).
Important Note: According to the U.S. Department of Homeland Security the affected versions of SolarWinds Orion are versions 2019.4 through 2020.2.1 HFI.
The individuals tasked with combing through the infected software update for SolarWinds referred to the code as “elegant” and “innovative” as well as “a phenomenal tradecraft.” The entire hack began with one tiny strip of code. That’s it. The code itself doesn’t actually do anything, all it does is check to see which processor is running on the computer..is it 32- or 64- bit processor. If it’s one or the other it’s assigned a zero or a one.
Microsoft, FireEye, and GoDaddy worked together to block & isolate versions of Orion known to contain the malware to cut off the hacker’s access to Customer’s systems. They did this by turning the domain used by the backdoor malware used in Orion as part of a kill switch. The kill chain serves as a mechanism to prevent Sunburst from continuing to operate.
A supply chain attack is the method the SolarWinds attackers used to insert the malicious code into the Orion system. This sort of attack works by targeting a third party with access to an org’s systems rather than trying to hack the networks directly. After the backdoor is created the hackers are able to access & impersonate users & accounts of victim orgs. The malware used also access system files and blend in with legitimate SolarWinds activity without detection, even by AntiVirus software.
“A supply chain attack is a cyber attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry..from the financial sector, oil industry, to the government sector. A supply chain attack can happen in software or hardware.”
In April of 2021 the NSA, CISA, and the FBI jointly confirm the Russian Foreign Intelligence Service as the threat actor in the SolarWinds attack during a Cyber Security advisory meeting. The White House then releases Executive Order 14024 issuing sanctions targeting the harmful foreign activities of the Russian Government. The Russians successfully compromised about 100 companies and about a dozen government agencies. It’s also worth noting that one of those agencies was the CyberSecurity and Infrastructure Security Agency (aka CISA). We have to take into consideration that stealing data is one thing, but the potential for altering & destroying data is another. Considering Russia’s history of malicious activity in the realm of the cyber space, we should never underestimate them. Hacking network monitoring software basically gives the attacker the ability to view the entire network in a streamlined type of way.
APT 29/NOBELIUM/CozyBear (they have also been given many other names) is the threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR) as well as ultimately being the group responsible for the SolarWinds attack. A year after the discovery of the SolarWinds attack (2021) APT29 was back at it again, and being directed by the Russian Intelligence Service. According to Microsoft (who was one of their SolarWinds victims) they have been targeting technology companies that resell & provide cloud services for customers. It appears they have been attempting to copy their approach they used in previous attacks by targeting orgs that are intrinsic to the global IT supply chain. It’s likely that APT 29 was hoping to take advantage of any direct access that these resellers may have to their customers IT systems and more easily be able to impersonate an org’ trusted IT partner to gain access to the customers who are downstream.
The main techniques they’ve used over the last two years seems to rely more on phishing & password spraying (a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process) to gain entry to a targeted network as opposed to searching for vulnerabilities in software.