IS experts gained access to the servers of hackers who attacked SolarWinds

Specialists of the Swiss information security company Prodaft gained access to the servers used by the hackers responsible for the SolarWinds hack.

Thanks to this, they were able to find out who were victims of the attacks and how they conducted their operations. According to experts, this month the hacking operation was still ongoing.

Information security experts managed to hack the computer infrastructure belonging to cybercriminals and study the details of a large-scale malicious campaign that took place from March to August last year. During the campaign, cybercriminals attacked thousands of companies and government organizations in Europe and the United States. The target of the cybercriminal group that researchers called SilverFish were espionage and data theft, Prodaft said.

According to researchers, SilverFish carried out “extremely sophisticated” cyberattacks on at least 4,720 victims, including government agencies, IT providers, dozens of banks, EU organizations, large audit and consulting firms, as well as world leaders in the COVID-19 testing market, aviation and defence technology.

In their attacks on victims, the attackers used not only the SolarWinds backdoor, but also other methods. Prodaft experts do not attribute SilverFish to the government of any particular country, but clarify that it is an APT group.

“The hackers are showing signs of a government-funded group. In particular, they do not pursue financial gain and attack critical infrastructure”, – say the researchers.

However, in order to assign a group to a specific government, a more detailed analysis is required.

Let me remind you that we wrote that Chinese hackers also took part in attacks on SolarWinds clients.

The report of the Swiss information security company was received sceptically by many American cybersecurity experts, who believe that cyberattacks are an operation of Russian cyber spies. Nonetheless, researchers at Malwarebytes described Prodaft’s findings as “valid.”

The company’s specialists also talked about how the attackers carried out their operation. According to them, the hackers worked during standard business hours – Monday through Friday from 8:00 to 20:00. Their servers are located in Russia and Ukraine, and some of them are also used by the Evil Corp.

The group is an “extremely well-organized” cyber-espionage organization made up of four teams named 301, 302, 303 and 304. SilverFish has targeted government organizations and large corporations, including Fortune 500.

“The hackers were not interested in organizations in Russia, Ukraine, Uzbekistan and Georgia. Organizations in the United States (2,465 organizations) and Europe (1,466 organizations), including Italy, the Netherlands, Denmark, Austria, France and the United Kingdom, have suffered from hackers the most”, – say the researchers.

Hackers wrote comments “in Russian slang and vernacular”, while English was the second main language. The source code also contained identification numbers and aliases, including “new hacker,” “cyberbro netsupport,” and “walter,” for 14 people, who likely worked under the direction of four teams, the report said.

Let me also remind you that we told that The US government has warned agencies about cybersecurity risks for years.