Researchers with the PRODAFT Threat Intelligence Team took a deep dive into the operations of the SilverFish cyber-espionage group and linked one of its command and control (C&C) servers with recent high-profile malicious attacks.
The investigation, which started from indicators of compromise (IOCs) published for the December 2020 SolarWinds attacks, has led the researchers to identifying a new advanced persistent threat (APT) group called SilverFish, which has conducted cyber-attacks on at least 4,720 targets worldwide.
Focused on espionage, the group set its eyes on governmental institutions, international IT providers, entities in the aviation industry, and companies in the defense sector.
Extremely well-organized, the researchers claim the group is believed to have close connections with the SolarWinds attacks, as well as with EvilCorp (also known as TA505), the Russian-speaking cyber-crime group that operates TrickBot, Dridex, and other well-known malware families.
“We believe our findings will reveal several previously-unknown tools, techniques and procedures related to one of the most high-profile APT groups in history,” the PRODAFT Threat Intelligence Team notes in their report.
[ ALSO READ: Second Group May Have Targeted SolarWinds ]
Some of the most notable victims of the group include a “three letter” US agency, a US military contractor, global IT manufacturers and solution providers, European automotive manufacturing groups, aviation and aerospace manufacturers, banking institutions in the US and Europe, health departments, police networks, US public institutions, IT security vendors, pharmaceutical companies, and more.
Having access to one of threat actor’s C&C servers, the researchers discovered that the group is formed of multiple teams, with the infrastructure likely designed to serve all of them. On the C&C’s dashboard, the attackers would post comments in both English and Russian.
Analysis of the C&C panel revealed that the group has successfully compromised “nearly all critical infrastructures (as defined in the NIST Cyber Security Framework),” with half of the victims having a market value in excess of $100 million.
“While the United States is by far the most frequently targeted region, with 2465 attacks recorded, it is followed by European states with 1645 victims originating from no less than 6different member states,” the report reveals.
The researchers also note that the group is mainly focused on reconnaissance and data exfiltration, that it is well organized (administrator accounts manage the C&C server, hackers work between specific hours), that they have developed a malware detection sandbox that leverages actual live victim servers, and that, although the investigation focused on US and Europe, the group has ongoing campaigns in other parts of the world as well.
In the C&C source code, the researchers discovered the nicknames and ID numbers of 14 people who appear to be working under the supervision of 4 different teams. Furthermore, the PRODAFT Threat Intelligence Team linked some of these with profiles on underground hacking forums.
Following initial compromise, the hackers leverage publicly available red teaming tools to gain a foothold onto the victim systems, perform reconnaissance, and exfiltrate data of interest. The attackers use compromised domains to redirect traffic to their C&C, creating subdomains to avoid disrupting legitimate traffic.
“Considering the change frequency of the domains, we believe that the SilverFish group has more than thousand already compromised web sites which are rotated almost every other day. Our research also shows that significant number of the compromised websites were using WordPress,” the report reads.
The SilverFish group, the researchers say, appears involved in multiple ongoing operations that employ the same tools, tactics, and procedures (TTPs), but target different regions, for different motives. The group is believed to be the first to have targeted EU states using the SolarWinds vulnerabilities.
“At this stage, we do not have a complete understanding of the clear purpose of these attacks other than those of the group’s previous operations. This means we have yet to receive information about data exfiltration or the utilization of ransomware. Regardless, the attacker has clearly shown that they possess the motivation, willingness, and capacity to plan and execute activities of this character and scale,” the researchers conclude.