SolarWinds headquarters in Austin, Texas on December 15, 2020.
Microsoft says SolarWinds hackers have struck again
02:52 - Source: CNNBusiness
Washington CNN  — 

The Russian hackers behind a successful 2020 breach of US federal agencies have in recent months tried to infiltrate US and European government networks, cybersecurity analysts tracking the group told CNN.

The Russian group has breached multiple technology firms in previously unreported activity, said Charles Carmakal, senior vice president and CTO at cybersecurity firm Mandiant. The hackers have also used new tools and techniques in some of their operations this year, Carmakal said.

“The group has compromised multiple government entities, organizations that focus on political and foreign policy matters, and technology providers that provide direct or indirect access to the ultimate target organizations within North America and Europe,” Carmakal told CNN. He declined to identify the technology providers.

It’s unclear what data, if any, the hackers accessed. But the activity is a reminder of the challenge facing the Biden administration as it tries to blunt efforts by America’s top digital adversaries to access sensitive government data.

A US official familiar with the matter told CNN that federal agencies are tracking the latest actions of the Russian hackers.

“The issue has come up in recent National Security Council meetings,” said the official, who spoke on the condition of anonymity.

The Russian group is best known for using tampered software made by federal contractor SolarWinds to breach at least nine US agencies in activity that came to light in December 2020. The attackers were undetected for months in the unclassified email networks of the departments of Justice, Homeland Security and others, and it was FireEye, Mandiant’s former parent firm, not a government agency, that discovered the hacking campaign.

The Biden administration in April attributed the spying campaign to Russia’s foreign intelligence service, the SVR, and criticized Moscow for exposing thousands of SolarWinds customers to malicious code. Moscow has denied involvement.

Homeland Security Secretary Alejandro Mayorkas in March said that US cybersecurity defenses must be quicker in detecting future espionage efforts. “Our government got hacked last year and we didn’t know about it for months,” Mayorkas said in a speech, referring to the SolarWinds incident.

To that end, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has pledged to spend some of the $650 million it received from the American Rescue Plan earlier this year on new security tools to detect threats. The Biden administration has also instituted mandatory security standards for US government contractors. Deputy Attorney General Lisa Monaco said Wednesday that the Justice Department would use its “civil enforcement tools to pursue companies – those who are government contractors or receive federal funds – when they fail to follow required cybersecurity standards.”

Cat and mouse game

For US agencies, it could be a cat and mouse game attempting to detect the Russian operatives. They are professionals – the likes of which are employed by top US and Chinese spy agencies – with a mission to collect intelligence on government targets, analysts say. That means they develop new hacking tools when other ones are exposed.

Starting in April, if not earlier, the Russian group was using a new piece of malicious software to “remotely exfiltrate sensitive information” from targeted organizations’ computer servers, Microsoft said in a September 27 blog post.

Microsoft declined to comment on where the targeted organizations are located or what sectors they are in. But other security specialists say they’ve been responding to digital intrusions associated with the broad group of hackers that Washington blamed for the SolarWinds breaches.

“They’re constantly active,” Adam Meyers, senior vice president of intelligence at security firm CrowdStrike, said of the Russian group. “I think the public reporting represents … when we catch them and when we see what they’re up to.”

CrowdStrike last month found malicious code in a customer network that Meyers said was likely deployed by Cozy Bear, a Russian group that overlaps with the one tracked by Microsoft. Meyers declined to elaborate on the incident.

The National Security Agency, FBI, CISA, and the Office of the Director of National Intelligence declined to comment for this story.

Gen. Paul Nakasone, who heads the NSA and US Cyber Command, on Tuesday said that US agencies worked well with Mandiant to cut short the Russian espionage campaign exploiting SolarWinds.

“The SolarWinds incident, I think, was really a turning point for our nation,” Nakasone said at the Mandiant Cyber Defense Summit in Washington. “We were able to expose a significant intrusion by a foreign adversary that was trying to do our nation harm.”