On Friday, US and UK government agencies released a joint report with more information on the activities of the Russian cyberspy community suspected of being behind the attack on IT management firm SolarWinds. After some of their operations were revealed, the hackers began using the open-source adversary simulation system Sliver, according to the paper.
The SolarWinds attack was carried out by the Russian threat actor APT29 (also known as the Dukes, Cozy Bear, and Yttrium), according to the FBI, NSA, CISA, and the UK’s NCSC. The SolarWinds attack resulted in hundreds of organisations’ systems being breached by malicious updates served from compromised SolarWinds systems.
The agencies have previously released numerous reports on the activities of the organisation, which they say is under the control of the Russian Foreign Intelligence Service, or SVR.
The new report provides further information on the cyberspies’ strategies, methods, and procedures (TTPs), as well as some of the improvements made by the community in response to previous studies.
Last year, government agencies identified APT29 operations targeting organisations involved in SARSCoV2 coronavirus vaccine research and development in the United States, the United Kingdom, and Canada. Malware such as WellMess and WellMail were used in the attacks.
The hackers started using an open-source platform called Sliver to retain access to existing WellMess and WellMail victims after their activity targeting vaccine makers was exposed.
Bishop Fox, an aggressive security assessment agency, created Sliver as a legitimate tool. It’s billed as an adversary simulation and red team tool that companies can use to conduct security testing.
SVR operators also used separate command and control infrastructure for each victim of Sliver, as found in the SolarWinds incidents, the agencies said.
The Snort and Yara rules in the study are aimed at assisting danger hunters in detecting Sliver. The agencies cautioned, however, that since Sliver is a legal penetration testing tool, its existence does not inherently imply an APT29 assault.
APT29 has started exploiting CVE-2021-21972, according to the latest cybersecurity advisory, which lists nearly a dozen vulnerabilities that have been exploited by the community. VMware’s vCenter Server product is vulnerable to this crucial flaw. In February, organisations were alerted that hackers had begun searching the internet for compromised servers just one day after VMware declared the patches’ availability.
APT29 has reportedly begun searching for Microsoft Exchange servers that have been compromised by the vulnerabilities that have been abused by several threat groups over the last two months.
The study also details the effect of the attack on email security firm Mimecast, which was carried out as a result of the SolarWinds hack.