Russia cyber spies behind SolarWinds breach adopting new tactics, warn Five Eyes agencies

The Russian cyber spies behind the SolarWinds breach are adapting their techniques to hack into organizations that have moved their networks into cloud-hosted environments, Western officials are warning.

Cloud hosting has posed a challenge to hackers because it has effectively reduced the attack surface in terms of their ability to exploit software vulnerabilities that organizations with smaller security teams might fail to patch.

But a hacking group linked to Russia’s Foreign Intelligence Service (SVR) is finding a way around this challenge, according to a new alert issued by Britain’s National Cyber Security Centre (NCSC) alongside international partners from the Five Eyes alliance.

Over the past 12 months, these hackers have “been observed stealing system-issued access tokens to compromise victim accounts.” These access tokens can be stolen if the hackers compromise personal, unmanaged devices that have access to corporate resources.

Once inside the target’s cloud environment, the hackers have been observed registering their own devices as legitimate users on the network, ensuring that they continue to maintain access on a persistent basis.

The NCSC previously assessed it was “highly likely the SVR was responsible for gaining unauthorised access to SolarWinds Orion software and subsequent targeting,” which the British government said was “part of a wider pattern of cyber intrusions by the SVR who have previously attempted to gain access to governments across Europe and NATO members.”

“A low single digit number of public sector organisations” in the United Kingdom were targeted in the SolarWinds breach, while in the U.S. the State Department, the Department of Justice, the Department of Energy, the Cybersecurity and Infrastructure Agency and the Treasury Department all disclosed compromises.

The SVR previously targeted organizations involved in COVID-19 vaccine development and energy companies in 2020 with custom malware.

Paul Chichester, the NCSC’s director of operations, said: “We are resolute in our commitment to exposing malicious cyber activity, which includes raising awareness of changes in the behaviour of groups which persistently target the UK.

“The NCSC urges organisations to familiarise themselves with the intelligence and mitigation advice within the advisory to help defend their networks,” he added.

Russian president Vladimir Putin gave a speech to the SVR back in June 2022, when he stressed the role of the spy agency in mitigating sanctions imposed on the country over its invasion of Ukraine, although he avoided any direct reference to the invasion.

“As always, one priority area of the SVR’s work is its support of the industrial and technological development of our country; the strengthening of our defense potential. This effort is always acute, particularly now amidst attempts to apply sanctions pressure on Russia,” Putin said in June.

At the time, his comments raised fears about increasing industrial espionage from Russia, with experts telling Recorded Future News that Western companies should be on “full alert.”

The SVR has shown a “a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence,” officials warned in December