8 October 2021

Threat actors behind SolarWinds hack stole data on US sanctions, intelligence probes


Threat actors behind SolarWinds hack stole data on US sanctions, intelligence probes

The suspected Russian hackers who compromised computer networks of US federal agencies last year using SolarWinds and Microsoft software stole information related to counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, Reuters reported, citing people familiar with the investigation into the hack.

In early 2020, the hackers secretly infiltrated Texas-based SolarWind's systems and added malicious code into the company's Orion monitoring and management platform, used by tens of thousands of companies.

The threat actor also "took advantage of weaknesses in Microsoft's methods for identifying users in Office 365, breaching some targets that used Microsoft software but not SolarWinds."

While the breach received a great deal of press coverage, little has been shared about the attackers’ goals and successes.

One of the people involved told Reuters that the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.

In its annual digital defense report Microsoft said that the hackers behind the breach were interested in government material on sanctions and other Russia-related policies, along with U.S. methods for catching Russian hackers.

Microsoft drew its conclusions from the types of customers and accounts it observed being targeted, Cristin Goodwin, general manager of Microsoft’s Digital Security Unit told Reuters.

Chris Krebs, the former head of US cyber-defense agency CISA, said the combined descriptions of the attackers’ goals were logical.

"If I’m a threat actor in an environment, I’ve got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense," Krebs said.

He also said that the second thing to learn is how the target responds to attacks.

"I want to know what they know about me so I can improve my tradecraft and avoid detection," he said.


Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021