The Kremlin-backed SolarWinds hackers are back again. This time, a phishing scheme using a compromised government email account was used to deliver malware to organizations in 24 countries.
Last December, the U.S. was the target of a supply chain attack by Russia. Known as the SolarWinds hack, the attack was stealthy, going undetected for months before it was discovered. Around 18,000 customers of SolarWinds were impacted, eventually compromising nine government agencies and 100 private-sector companies. The group responsible, backed by the Kremlin, is back again with a new attack. This time, the SolarWinds hackers are conducting a malicious email campaign to deliver malware to 150 government agencies, research institutions and other organizations in the U.S. and 23 other countries.
The group responsible for this attack is part of Russia’s Foreign Intelligence Service. Their first step was compromising an account that belongs to USAID. USAID is a U.S. government agency which provides civilian foreign aid and development assistance. They ended up gaining control of the agency’s online marketing account with Constant Contact, giving them the ability to send emails that looked legitimate.
“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft Vice President of Customer Security and Trust Tom Burt wrote in a post published on Thursday evening. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
Aside from the USAID content, FireEye said the group used other lures, including diplomatic notes and invitations from embassies. The Foreign Intelligence Service, known as SVR, is known to target governments, think-tanks and other organizations.
“Though the SolarWinds activity was remarkable for its stealth and discipline, loud, broad spearphishing operations were once the calling card of SVR operators who often carried out noisy phishing campaigns,” John Hultquist, Vice President of Analysis at FireEye-owned Mandiant Threat Intelligence, said in an email. “Those operations were often effective, gaining access to major government offices among other targets. And while the spear phishing emails were quickly identified, we expect that any post-compromise actions by these actors would be highly skilled and stealthy.”
Ars Technica has a great technical explanation of how this attack works, along with a sample email that was used.
That these same hackers are back with a new, successful, attack is indicative of the need for continued cybersecurity training. Social engineering is an incredibly real threat, and even with continued training, there will still be those who click those bad links. Which is what threat actors and nation states are counting on, it only takes one person to let in a bad actor.
This is also indicative of needed regulations around cyber activity, and should serve as a warning sign to business owners. Governments and regulating bodies will get to legislation eventually, but they tend to work on their own timelines, not ours. In the meantime, businesses must take it upon themselves to ensure the security of their systems. Russia is deliberately targeting supply chain companies and government agencies, but they’ll take anything they think will get them a leg up. It’s important to remember that the SolarWinds hackers aren’t the only group out there, and these attacks are on the rise.
We’ve said this many times, and will continue to do so: Security cannot wait. And it’s important to remember that security isn’t just code, firewalls and email filters. Security involves every employee, from the mailroom clerk to the CEO. Everyone must be trained on how to recognize phishing emails, that clicking links in emails is a bad idea, especially emails from unknown sources. Just because it passes the company’s filter doesn’t mean it’s 100% safe. Every employee should also be trained on password safety and using passphrases and password managers.
The absolute best thing you can do for your business is to hire an expert to review your security protocols and ensure that all of your systems and applications are updated with the most recent patches. And remember, they can help you with training programs, too.