Infosecurity Group Websites
Latest
News

Russian Hackers Steal Data for Months in Global Supply Chain Attacks

Russian hackers who stole red team tools from FireEye may have been in action on a much broader scale, operating a sophisticated supply chain campaign targeting multiple global organizations and governments.

FireEye revealed in an update on Sunday that nation state attackers inserted malicious code into legitimate software for SolarWinds’ popular Orion product to gain remote access into victim environments.

Although it didn’t name any victims or the identity of the group, a Reuters report on Sunday citing “people familiar with the matter” pointed the finger at Moscow and claimed that the US Treasury and Commerce departments were both hit.

It’s claimed the attackers may have had access to staff emails since spring.

SolarWinds also confirmed the attack in an advisory over the weekend, and urged users to upgrade as soon as possible. Its software was seeded with a malicious backdoor dubbed “Sunburst” by FireEye.

“The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” the security vendor explained in a technical blog.

“The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

The attackers conducted a carefully planned, patient and highly sophisticated campaign based around a light malware footprint, prioritization of stealth and advanced OpSec to cover their tracks and use difficult-to-attribute tools, it added.

“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” said FireEye. “We anticipate there are additional victims in other countries and verticals.”

It’s unclear what the end goal of the group was, although a New York Times story named it as APT29, or Cozy Bear, which has been associated with previous attacks on the Democratic National Committee in 2016 and COVID-19 vaccine data earlier this year.

The Commerce Department’s National Telecommunications and Information Administration (NTIA), which decides which tech imports and exports to block on national security grounds, was reportedly one of the targets.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

One Million US Dental Patients Impacted by Data Breach

2
News

Vade Secure Appoints Ex-Israeli Military Staff Sergeant Maya Gershon as CRO

3
News

CISOs Preparing for DNS Attacks Over Christmas

4
News

Nintendo Hacker Jailed

5
News

Norwegian Police Pin Parliament Attack on Fancy Bear

6
News

Cyber-Attack Exposes Data of 295,000 Colorado Springs Patients

1
News

Former Cisco Engineer Gets Two Years for $2.4M WebEx Attack

2
Blog

How it Works: Machine Learning Against Email Phishing

3
News

Russian Hackers Steal Data for Months in Global Supply Chain Attacks

4
Opinion

Is it Time for the Network to Shoulder More of the Burden of Information Security?

5
News

US Frees ISIL Cyber-Operative

6
News

Norwegian Police Pin Parliament Attack on Fancy Bear

1
Webinar

Extended Threat Detection and Response: Critical Steps and a Critical System

2
Webinar

Establishing a Successful DevSecOps Program: Lessons Learned

3
Webinar

Enabling Secure Access: Anywhere, Any Device and Any Application

4
Webinar

Insider Risk Maturity Models: Tales from the Insider Crypt

5
Webinar

How to Mitigate Insider Threats in the Current Technology Landscape

6
Webinar

Enabling Incident Response in a Remote Working Landscape

1
News Feature

#IFAW2020: Fighting Back Against Rising Fraud During #COVID19

2
Blog

Solving the Global Cybersecurity Skills Gap in Two Simple Steps

3
Interview

#IFAW2020 Interview: David Britton, VP of Industry Solutions, Experian

4
Webinar

How to Mitigate Insider Threats in the Current Technology Landscape

5
Opinion

#HowTo Master Cybersecurity Training with a Third Party

6
Interview

Interview: Richard Betts and Eward Driehuis, Cybersprint