Why the private sector is the key to stopping Russian hacking group APT29


As the Russian cyber threat escalates, it becomes increasingly clear that the protection of US and European national interests is increasingly in the hands of civilians in IT and software companies. US and European IT companies that seemingly have nothing to do with the government are unwittingly serving as a springboard for cyber attacks and enemy state espionage campaigns. If these attacks are successful, they could not only have devastating effects on government and military secrets, but also undermine confidence in the software supply chain that is increasingly at the heart of the modern economy.

Over the past several months, my company, along with other large corporations including Microsoft, have seen Russian hacking group APT29 – blamed for the massive SolarWinds cyberattack and the 2015 infiltration of the Democratic National Committee – quietly trying to access large IT companies, primarily those that offer cloud-based software services to businesses and government organizations. The threat of damage is great, especially since the nimble, deep-pocketed group shows no signs of stopping. APT29 will continue to target individual workers in software supply chain companies, primarily through phishing campaigns, and will use unique and hard-to-detect tools to turn these service providers into proxies to carry out attacks. espionage against sensitive targets such as military or government agencies.

APT29 is not interested in Microsoft or other IT companies themselves, or even their direct customers, who offer custom cloud software products. Rather, they intend to use them as proxies to attack subscribers and downstream users in the chain, which may include defense companies, government agencies, or contractors with valuable or classified information. Governments, contractors, and businesses increasingly rely on cloud services, in part for the flexibility they allow services from multiple software vendors.

In a recent case that we mitigated in a cloud-based software company, APT29 did not attempt to take or otherwise compromise the data of the large software company itself. Instead, the hackers tried to find out which people at the software company have information about or are connected to customers who are the ultimate targets. They first reached these employees through phishing campaigns and then were able to use a single tool to take over and use their legitimate network connections as a proxy to potentially reach ultimate targets but remain undetected. The tool, which we discovered, does not siphon information, but simply allows hackers to use accounts and connections as proxies to reach other targets.

This targeting of certain employees, based on their potential links with potential targets, is a unique and new approach for APT29. It’s a tedious process that hackers have gone through over time, perhaps for almost a year, without being detected inside the software vendor. Although this is the same group that the US government blamed for the attack on SolarWinds, that attack, from what we saw, was quite different. In this case, the hackers looked for possible connections only to certain clients of the software company rather than just targeting everyone through a malware update, as happened during the SolarWinds attack. The fine-grained nature of the attacks indicates that agents receive prior advice and other intelligence from their managers.

Once cyberattackers are inside the software service providers, they gain not only the access but also the knowledge to carry out sophisticated phishing attacks on valuable targets that are connected to the software providers. It’s easy to see how those working on the targets themselves would open emails and even download attachments that appear to be from their software service providers. Ultimately, this can lead to malware on the networks of government organizations and defense companies that allows attackers continuous access to valuable or classified information. This shows that no matter how well the end targets may think they are well protected, there is more and more a back door through their software vendor or anyone they have digital connections with.

Because these players mainly rely on phishing to penetrate software vendors and actual targets down the chain, there are no simple technological solutions like fixing a vulnerability list. All of this means that it is largely up to humans within private sector companies to prevent such attacks through the usual, though often overlooked, methods such as the use of multi-factor authentication and learning. of employees to recognize phishing attempts.

Our intelligence indicates that APT29 and other state actors will continue to target companies in the software supply chain, particularly those serving the military, defense or key technology sectors in the United States and Europe. The growing cloud computing industry is expected to be worth $ 1.25 trillion by 2028 and is critical to managing everything from infrastructure to supply chains to online banking. If not properly secured, the software supply chain will continue to pose a huge risk to national security and the economy.


Comments are closed.