The hackers behind the SolarWinds hack in 2019 are back. This time, the SolarWinds hackers are zeroing in on businesses and governments worldwide.
What Do We Know About the Hack?
Nobelium, the group behind the SolarWinds hacks, is now linked to several
cyber attacks. These attacks were launched against cloud solutions providers, reseller businesses, and government entities. In addition, Nobelium is reworking its hacking tactics to wreak even more havoc on the internet and society.
Nobelium’s latest hacks are tracked in two distinct activity clusters. Mandiant has identified these clusters as UNC3004 and UNC2652. Each cluster is tied to UNC2452, a group of uncategorized threats linked to Russia’s intelligence agency.
Who is the Threat Targeting?
UNC2652 targets diplomatic groups through
phishing emails. These emails have HTML attachments containing harmful JavaScipt. The JavaScipt transmits a Cobalt Strike Beacon to transmit the infection. The overarching aim of the attack is to steal valuable intelligence information for Russia’s government. The theft of targeted data is also used to generate additional access routes for even more hacks.
Why is the Hack of Significance?
The reemergence of Nobelium is bad news for governments and businesses around the world. Nobelium, backed by Russia’s Kremlin, compromised SolarWinds’ servers in 2019. The hackers transmitted harmful software binaries to the network management provider’s customers. The customer group included nearly a dozen
United States federal agencies.
Nobelium has innovated its hacking techniques to access target environments, prevent detection, and stifle attempts to thwart its attempts to steal information. In addition, Nobelium appears to be using third parties and vendors to implement digital attacks.
Microsoft’s tech gurus have described Nobelium hackers as “methodical” and “skillful” operators who adhere to operations security best practices. Nobelium is expanding its
malware to spread malicious components and attack systems of nation-states around the world.
What Types of Hacking Tactics are Used?
Nobelium hackers are using a new hacking tool referred to as Ceeloader. Ceeloader is a bespoke downloader that decrypts shellcode payloads for execution within the memory of a targeted system. This strategy is also a workaround for multi-factor authentication safeguards on smartphones.
Additional Nobelium hacking tactics observed in recent months include using residential IP address ranges for authentication, encrypted blobs for hosting payloads on sites running
WordPress, and virtual private networks (VPNs) to access target environments.