Security scientists have uncovered a significant cyber spying team with backlinks to the current SolarWinds attacks.
According to a report from cyber security agency Prodaft, the hacking group, dubbed Silverfish, has carried out several attacks since August, which includes thieving private details from govt organizations and other corporations.
Researchers received the facts by infiltrating the hackers’ command and manage (C2) servers. This exposed Silverfish experienced specific at least 4,720 victims above the earlier few months. Researchers stated there was a sizeable overlap with the companies affected by the SolarWinds attacks.
The victims integrated governmental establishments, world-wide IT companies, the aviation business, and defense companies. Pursuing the disclosure of the SolarWinds attack in December, a client in the fiscal sector who’d been breached in the attacks called the researchers.
Based on general public indicators of compromise printed by FireEye, the researchers produced a one of a kind fingerprint of a single of the on line servers. The workforce then searched all IPv4 ranges globally to locate a matching fingerprint, ensuing in positive detections within 12 several hours of the scan.
After the group obtained obtain to a C2 server, they uncovered SilverFish had four groups actively exploiting the victims’ gadgets. SilverFish works by using a staff-centered workflow product and a triage procedure similar to modern-day project management programs like Jira.
“Whenever a new target is contaminated, it is assigned to the current ‘Active Team’ which is pre-selected by the administrator. Every single crew on the C&C server can only see the victims assigned to them. In addition, the system has the capacity to vehicle-assign victims based mostly on the recent workload,” said scientists.
Researchers mentioned whilst the US is by far the most often focused location with 2,465 attacks recorded, 1,645 victims had been from quite a few European countries.
Whilst the hackers predominantly utilised English, there have been reviews published in Russian slang and vernacular. Evidence scientists uncovered proposed the hackers ran servers in Ukraine and Russia.
Most of the group’s work transpired among 08:00 and 20:00 (UTC).
“From our point of perspective, this illustrates the existence of an firm that operates in an arranged and disciplined way in a hierarchical environment, one that is even highly compartmentalized,” said scientists.
Some elements of this post are sourced from: