Researchers discover threat actors with links to SolarWinds hack

Report shines a light on the overlap between SilverFish cybercrime group victims and SolarWinds targets

A group of hackers behind the Russian flag

Security researchers have discovered a large cyber spying group with links to the recent SolarWinds attacks.

According to a report from cyber security firm Prodaft, the 'Silverfish' hacking group carried out numerous attacks since August, including stealing confidential data from government agencies and other organizations.

Researchers gained the information by infiltrating the hackers’ command and control (C2) servers. This revealed Silverfish had targeted at least 4,720 victims over the past few months, and researchers said there was a significant overlap with the companies affected by the SolarWinds attacks.

The victims included governmental institutions, global IT providers, the aviation industry, and defense companies. Following the disclosure of the SolarWinds attack in December, a client in the financial sector who’d been breached in the attacks called the researchers.

Based on public indicators of compromise published by FireEye, the researchers created a unique fingerprint of one of the online servers. The team then searched all IPv4 ranges globally to find a matching fingerprint, resulting in positive detections within 12 hours of the scan. 

Once the team gained access to a C2 server, they found SilverFish had four teams actively exploiting the victims’ devices. SilverFish uses a team-based workflow model and a triage system similar to modern project management applications like Jira.

“Whenever a new victim is infected, it is assigned to the current ‘Active Team’ which is pre-selected by the administrator. Each team on the C&C server can only see the victims assigned to them. Furthermore, the system has the capability to auto-assign victims based on the current workload,” said researchers.

Researchers said while the US is by far the most frequently targeted region with 2,465 attacks recorded, 1,645 victims were from several European countries.

While the hackers mainly used English, there were comments written in Russian slang and vernacular. Evidence researchers found suggested the hackers ran servers in Ukraine and Russia.

Most of the group’s work occurred between 08:00 and 20:00 (UTC).

“From our point of view, this illustrates the existence of an organization that operates in an organized and disciplined manner in a hierarchical environment, one that is even highly compartmentalized,” said researchers.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
New DNS vulnerabilities put millions of IoT devices at risk of hacking
Internet of Things (IoT)

New DNS vulnerabilities put millions of IoT devices at risk of hacking

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021