Russian Actors Behind SolarWinds Attack Hit Global Business & Government Targets

Clusters of activity associated with the attack group behind last years supply chain breach reveal novel techniques, researchers say.

One year after the discovery of the 2021 SolarWinds supply chain compromise, security researchers report two clusters of suspected Russian attack activity targeting global businesses and governments. Both are associated with the group behind the SolarWinds attack campaign.
The findings come from Mandiant, which has been tracking the activity in 2021 and reports an adaptable and evolving threat using novel tactics, techniques, and procedures (TTPs) to breach victims, collect data, and move laterally. The attackers associated with the SolarWinds incident have breached multiple entities,
including cloud service providers
(CSPs), and they continue to evolve.
Mandiant tracks the two clusters of activity as UNC3004 and UNC2652; it says both are linked to the group it tracks as UNC2452, also referred to as
Nobelium
by Microsoft.
We are confident in saying that these clusters — maybe it means there are different teams or units, we dont really know — they are all associated with [the] SolarWinds threat actor, says Doug Bienstock, manager of incident response at Mandiant, in an interview with Dark Reading.
In most cases, post-compromise activity included theft of data relevant to Russian interests, Mandiant researchers
wrote in a blog post
. In some, the theft seemed primarily meant to create routes to access other victim environments. Targets included NGOs, government entities, and consulting organizations that are involved with, or could align with, Russian interests. So far, Mandiant is aware of two to three dozen targets compromised by this activity in 2021.
It appears the attackers goals varied depending on the target. When they accessed service provider environments, and downstream customers to a lesser degree, they were interested in credentials that would allow continued high-level permissions in both of those environments, Bienstock says. When targeting service providers, they sought credentials that would allow them to move from the service providers network down into their customers networks.
Once successfully in a customer environment, they were after confidential data that aligned with Russian interests or could help them further those interests, Bienstock explained.
Generally, that data, in most organizations now, is going to be in the form of email and email-adjacent, like SharePoint or OneDrive files, he adds. Were largely seeing them target that type of data and individuals at the organizations who may be involved with those Russian-related subjects.
Inside the Attackers Toolbox
The activity Mandiant disclosed today goes back to the first quarter of this year and has many similarities to SolarWinds methods, he notes. Attackers continue to display a high skill level in their operational security and take several steps to hide their activities and blend in with users normal activities, making attribution and tracking their infrastructure difficult for researchers.
They also show a particular deftness at being able to quickly research techniques, iterate on them, and then implement them in the wild, and they continue to target Microsoft 365 using some fairly advanced methodologies, Bienstock continues.
Their operational security, and the pace at which they can grow their toolbox of techniques, are two traits that stood out to him.
In at least one case, the attacker compromised a local VPN account, then used it to conduct recon and gain access to internal resources in the victim CSPs environment. This allowed them to compromise internal domain accounts. In another campaign, attackers were able to access a victims Microsoft 365 environment using a stolen session token. It was later discovered some systems had been infected with info-stealer Cryptbot before the token was generated.
Other techniques include the compromise of a Microsoft Azure AD account within a CSPs tenant in one attack; in another, attackers used RDP to pivot between systems that had limited Internet access. The attackers compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands in target networks.
Attackers are also making use of a new bespoke downloader dubbed Ceeloader, which decrypts a shellcode payload to execute in memory on a target device. The downloader is derived from VaporRage, a downloader Microsoft has
previously discussed
. Ceeloader is used during the crucial stage of an intrusion when attackers have a toehold in the environment but need to download additional malware, making this a good opportunity to detect and prevent, Bienstock says.
This threat actor, they seem to be very choosy over when theyre going to develop their own malware and when theyll use off-the-shelf tooling, he adds.
On the operational security front, Mandiant found attackers using residential IP address ranges to authenticate into victim environments. Its believed this access was obtained through mobile and residential IP address proxy providers, which proxy traffic through mobile devices by bundling a proxy application in return for free applications and/or services.
The threat actor has started using these services because they know that defenders, investigators treat domestic ISPs as pretty legitimate activity — especially more so if that activity comes from a geography where your employees are based, Bienstock explains. That shows me they are continuing to refine their ability to blend in with normal business activities.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russian Actors Behind SolarWinds Attack Hit Global Business & Government Targets