Posted on March 20, 2021 at 2:01 PM
A Swiss-based cybersecurity firm PRODAF said it had access to servers utilized by the same hacking group responsible for the SolarWinds breach.
The firm revealed some important details about the operational method of the attackers and who they have targeted. The security team also stated that the threat actors have continued with their hacking activities in March.
PRODAFT researchers stated that they succeeded in breaking into the computer infrastructure of the hackers to uncover evidence of an expansive cyber-espionage between August last year and March this year. The campaign targeted several government organizations and companies across the U.S. and Europe.
The researchers dubbed the hacking group SilverFish, stating that their main goal is to spy on unsuspecting users and steal vital data from their systems.
Cybersecurity community still skeptical about the discovery
The researchers however didn’t link the threat actors to any previously known state-sponsored hacking group. But they said SilverFish acted like an advanced persistent threat (APT) group, considered one of the most dangerous cyber-attack groups in the world since they are often linked to governments.
But the researchers stated that more research is necessary to establish the actual identity of the group and their entire attack aims.
So, it’s not clear whether the hacking syndicate has either Chinese or Russian ties, which the U.S. and several cybersecurity firms have blamed for the SolarWinds attack last year.
The SolarWinds incident was uncovered in December after cybersecurity researchers discovered hackers planting malicious codes for popular Texas-based company SolarWinds Corp. The impact of the attack was massive, as it has affected hundreds of organizations that use the SolarWinds software.
However, only a small percentage of this number has been impacted, with reports revealing that 9 U.S. government agencies were impacted while over 100 companies were affected.
Malwarebytes agrees with PRODAFT’s findings
PRODAFT said it had established communication with Swiss cybersecurity officials regarding the firm’s latest revelation. However, it refused to comment about the information they exchanged, citing security reasons. The FBI and SolarWinds were also contacted but both of them declined requests for comment.
In December, Microsoft revealed that a second attacker may have been involved in the SolarWinds breach. But the latest revelation by PRODAFT security researchers was not welcomed with open hands by some cybersecurity researchers.
Many of them claimed to have a strong conviction that the December attack was perpetrated by no other than Russian cyberespionage groups sponsored by the Russian government.
But they refused to criticize the report in public. However, Malwarebytes researchers have described the findings from PRODAFT as “sound.
They said more cyber threat groups might have been involved in the SolarWinds attack, and the recent discovery by PRODAFT is a confirmation to that effect.
Co-founder and chief executive officer of Malwarebytes Marcin Kleczynski commented on the discovery of more hacking groups on the SolarWinds attack.
“The discovery of SilverFish reinforces the idea that more than one group exploited SolarWinds,” he stated. Additionally, the report has provided more insights into the operational methods of the group.
Attackers used sophisticated tools
SilverFish was involved in“extremely sophisticated” cyber espionage on about 4,720 targets, which include global IT providers, major auditing/consulting firms, government institutions, and dozens of banking institutions in the EU and the U.S. the attacks also affected several pharmaceutical companies, and aviation companies in the U.S.
The threat actors also utilized both known and unknown methods to attack their victims apart from through the SolarWinds software vulnerability.
PRODAFT reporters maintained that the SilverFish hackers worked like regular workers from 8 in the morning to 8 at night, from Mondays to Fridays.
The threat actors also operated servers in Ukraine and Russia and shared some of their servers with the Evil Corp, an infamous Russian criminal hacking syndicate.
PRODAFT also stated that the hackers were very organized in their hacking operations. They were grouped into four teams: namely 304, 303, 302, and 301. The hackers concentrated their operations on government establishments and large multinationals such as Fortune 500 companies.
But the SilverFish hackers didn’t attack victims in Uzbekistan, Georgia, Ukraine, and Russia, according to the reports. Additionally, the researchers said the U.S. was the most affected, with about 2,400 attacks recorded in the country alone.