Kremlin-Backed Hackers Still Stealing U.S. Data 'Relevant to Russian Interests': Report

Kremlin-protected hackers responsible for the sweeping SolarWinds cyberattack last year have continued to steal U.S. data that is "relevant to Russian interests" throughout this year, according to a new report from cybersecurity firm Mandiant.

The report said the hackers have been able to infiltrate U.S. and allied government agencies, as well as think tanks on foreign policy, using adaptable and stealthy techniques to go unnoticed as long as possible, the Associated Press reported.

It was about a year ago when Mandiant disclosed that Russian state hackers had been able to breach about 100 organizations through common software provided by SolarWinds. Major U.S. agencies, including part of the State Department, Homeland Security Department and Pentagon, were targeted, as well as some private companies like Microsoft and Intel, Business Insider reported.

Mandiant said in its report Monday that hackers linked to Russia's SVR foreign intelligence agency have continued to mine data, AP reported. However, the number of breached agencies and companies was smaller compared to last year, according to Mandiant's chief technical officer, Charles Carmakal.

Carmakal said that the effects of the hacks were serious, and that the impacted companies are "also losing information." An assessment of damage from the hacks is made more difficult since not all companies are saying whether they've been attacked "because they don't always have to disclose it legally," Carmakal added.

For more reporting from the Associated Press, see below.

Russian Hacking Report
The elite Russian state hackers behind last year's massive SolarWinds cyberespionage campaign hardly eased up this year, managing plenty of infiltrations of U.S. and allied government agencies and foreign policy think tanks, a leading cybersecurity firm reported Monday. Above, the Kremlin in Moscow on September 29, 2017. Ivan Sekretarev/AP Photo

The Russian cyber spying unfolded, as always, mostly in the shadows as the U.S. government was consumed in 2021 by a separate, eminently "noisy" and headline-grabbling cyber threat—ransomware attacks launched not by nation-state hackers but rather criminal gangs. As it happens, those gangs are largely protected by the Kremlin.

The Mandiant findings follow an October report from Microsoft that the hackers, whose umbrella group it calls Nobelium, continue to infiltrate the government agencies, foreign policy think tanks and other organizations focused on Russian affairs through the cloud service companies and so-called managed services providers on which they increasingly rely. Mandiant tips its hat to Microsoft's threat researchers in the report.

Mandiant researchers said the Russian hackers "continue to innovate and identify new techniques and tradecraft" that lets them linger in victim networks, hinder detection and confuse attempts to attribute hacks to them. In short, Russia's most elite state-backed hackers are as crafty and adaptable as ever.

Mandiant did not identify individual victims or describe what specific information may have been stolen but did say unspecified "diplomatic entities" that received malicious phishing emails were among the targets.

Often, the researchers say, the hackers' path of least resistance to their targets were cloud-computing services. From there, they used stolen credentials to infiltrate networks. The report describes how in one case they gained access to one victim's Microsoft 365 system through a stolen session. And, the report says, the hackers routinely relied on advanced tradecraft to cover their tracks.

One clever technique discussed in the report illustrates the ongoing cat-and-mouse game that digital espionage entails. Hackers set up intrusion beachheads using IP addresses, a numeric designation that identifies its location on the internet, that were physically located near an account they are trying to breach—in the same address block, say, as the person's local internet provider. That makes it highly difficult for security software to detect a hacker using stolen credentials posing as someone trying to access their work account remotely.

The SolarWinds hack exploited vulnerabilities in the software supply-chain system and went undetected for most of 2020 despite compromises at a broad swath of federal agencies—including the Justice Department—and dozens of companies, primarily telecommunications and information technology providers and including Mandiant and Microsoft.

The hacking campaign is named SolarWinds after the U.S. software company whose product was exploited in the first-stage infection of that effort. The Biden administration imposed sanctions last April in response to the hack, including against six Russian companies that support the country's cyber efforts.

SolarWinds Attack Anniversary
The Department of Justice was among the U.S. government agencies and companies reportedly targeted in a sweeping Russian cyberattack campaign last year. Above, a sign outside the Robert F. Kennedy Department of Justice building in Washington, D.C., on May 4, 2021. Patrick Semansky/AP Photo