SilverFish: Swiss researchers identify threat actor with links to SolarWinds hack

The researchers found a 'major overlap' between the hack group's victims and those targeted in the SolarWinds attacks

A Swiss cybersecurity firm called Prodaft claims to have identified a global cyber-espionage campaign with links to the SolarWinds attack.

In a report [pdf] released last week, Prodaft researchers said that hacking group, dubbed Silverfish, has been running a massive campaign since August to steal sensitive data from government organisations and private entities.

The researchers said they were able to infiltrate Silverfish's command and control (C2) servers, which revealed that the group had targeted nearly 4,700 victims in the past eight months. Prodaft found a major overlap between the victims and the organisations hit in the SolarWinds attacks.

Organisations targeted by the 'extremely skilled' threat group included Fortune 500 firms, governmental institutions, global IT providers, defence contractors, automotive manufacturers and aviation firms in the US, Italy, and other countries.

"We believe SilverFish is the first group that has targeted EU states by using the vulnerabilities which were tied to the SolarWinds incident," the researchers say.

Following the disclosure of the SolarWinds hack in December, Prodaft's team received an analysis request from a client whose systems were also compromised in the breach. Based on the public Indicators of Compromise released by FireEye, the team created a digital fingerprint for the SolarWinds attacks. They then ran IPv4 scans to search for other servers using the same fingerprint.

The researchers discovered about a dozen C2 servers the attackers used to monitor infected systems and send commands to them. Prodaft was able to gain access to two servers after identifying security weaknesses in their configuration.

A detailed analysis revealed evidence suggesting that the threat group had been targeting its victims since August 2020. The researchers also verified links to known victims of the SolarWinds attack by way of IP, user name, timestamp records and command execution.

According to Prodaft, SilverFish had four teams responsible for breaching victims' computers, focusing on targeting governments and big corporations.

US-based entities suffered the highest number of attacks (2,465), followed by Europe (1,466).

The hackers used Russian slang and vernacular to write comments, although used English as a main language.

There was evidence to suggest that hackers operated their C2 servers in Russia and Ukraine. Some of these servers were shared with a Russian threat group known as Evil Corp.

Researchers uncovered the SolarWinds hack in December, after finding that attackers had infiltrated several US government agencies and private firms using compromised Orion software from SolarWinds. US federal agencies said the attack was likely part of a cyber-espionage campaign conducted by a group with links to Russia.

In January, security researchers at Kaspersky said they had found clues suggesting a link between the SolarWinds attack and hacking tools previously used by Russia's Turla group.

Researchers said the source code for SunBurst, the malware used by SolarWinds hackers, overlapped with the Kazuar backdoor deployed by Turla to target various embassies and foreign ministers in Europe and across the world.

Last week, security vendor Mimecast revealed that its source code was stolen in cyber attacks linked to the SolarWinds breach.

The company said that the hackers used the Sunburst backdoor in the compromised versions of SolarWinds Orion platform as an initial attack vector, to download 'a limited number of source code repositories'.

Earlier in January, Microsoft announced that SolarWinds attackers were able to access some of its source code, although they could not make any changes to it.