How the Russian hacking group Cozy Bear, suspected in the SolarWinds breach, plays the long game

Written by and

As U.S. government agencies and thousands of companies around the world assess whether they’ve been compromised in the SolarWinds breach, cybersecurity experts are concerned that the full reach of the suspected hackers may only be just coming to light.

People familiar with the matter have told outlets including The Washington Post that the culprit is one of the most persistent and savvy hacking groups on the planet: the Russian government-backed APT29, also known as Cozy Bear. Cyber threat intelligence firms have been more cautious in assigning blame, even as they acknowledge significant similarities.

The group, reportedly linked to Russia’s foreign intelligence service, the SVR, and sometimes the FSB, is notorious for running multi-pronged efforts, and for not backing down from espionage operations, even after they are discovered. APT29 has historically gone to great lengths to conceal its activities, at times running years-long espionage operations, according to security researchers.

“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned Thursday about the SolarWinds attackers.

The U.S. government has not formally blamed any group for the SolarWinds breach, which has reportedly affected the departments of Homeland Security, Treasury, Energy and a number of companies. CISA, though, noted in its release that the U.S. government “expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”

Cozy Bear is thought to be made up of several different networks of hackers, which can also make attribution difficult, said Matthieu Faou, a malware researcher at Slovakia-based ESET, which has not linked the group to the SolarWinds breach.

“I believe that it is composed of several sub-groups that have different objectives and tools, even if they sometimes share some implants,” he said, adding the group is “far from being monolithic.”

Much of the group’s tools are custom-made, and would require various developers and operators for successful campaigns. Security firm F-Secure has also said the group likely divides itself into subset groups to handle its intricate taskings.

Some other nation-state hacking groups typically respond to being called out by backing off and retooling, while others completely abandon their campaigns.

“APT29 tends to deploy multiple implants on the same machine so when one is detected, they re-use the remaining one in order to re-take control of the machine,” said Faou. “APT29 tends to stay as low profile as possible in order to establish persistence for years in the networks of their targets.”

When APT29 hackers were discovered conducting a years-long espionage operation targeting the Ministries of Foreign Affairs in at least three European countries, for instance, APT29 buckled down and re-infected multiple machines, according to ESET.

In that campaign, the hackers re-infected multiple machines using PsExec, a software tool that can enable lateral movement, Faou said.

Corporate executives, national security officials, state governments and the incoming Biden administration are still working to learn exactly which systems are compromised as a result of the SolarWinds incident. The campaign had somehow spread to Microsoft, Reuters reported Thursday, suggesting that the hackers’ access may be even more extensive than currently known. The company confirmed it had detected and isolated malicious SolarWinds binaries in its systems.

Doubling down

Cozy Bear hackers have previously targeted sensitive government and defense targets around the world. The group compromised the unclassified email system of the State Department, White House and Joint Chiefs in 2014 and was one of two Russian groups involved in the 2016 Democratic National Committee breach. Another Russian group, known as APT28 or Fancy Bear, is more commonly associated with the 2016 DNC breach, although both compromised DNC systems, according to security researchers.

More recently, the espionage group has gone after entities in the U.K., Canada and the U.S. the are working to develop the coronavirus vaccine, according to the National Security Agency.

Now, they’re suspected to be behind the SolarWinds operation, in which the hackers laced malware called SUNBURST into software updates of a popular network management tool to infect potentially thousands of victims across the public and private sectors.

The technical details of the SolarWinds breach available indicate hackers likely have the capability to burrow deeper into victims’ networks through other means beyond just SUNBURST, according to DHS investigators. Namely, the hackers have additional means to run their espionage operation, through Cobalt Strike, a commercial security testing tool, and TEARDROP, a strain of malicious software.

“Everybody’s talking about SUNBURST … but SUNBURST is just the initial show, it’s just the stage one,” said Kyle Hanslovan, the co-founder and CEO of Huntress Labs and a former National Security Agency employee. “We’re hardly talking about TEARDROP or the use of Cobalt Strike within the network, which is designed to be a sophisticated, unattributable nation-state level capability. … That’s where I think this real story is going to happen.”

Huntress Labs has not blamed Cozy Bear for the SolarWinds breach.

System administrators should prepare for the hackers to have moved laterally, says Chris Kubic, the former chief information security officer at the NSA and senior security architect for the Intelligence Community Information Environment.

“I fully expect for any network that they were interested in that they used SolarWinds to gain initial access [to], they certainly would have laid down persistent accesses within those networks,” said Kubic, now CISO at Fidelis Cybersecurity. “It’s expensive to get access to one of those networks, so once they do, they’re going to take advantage of it, so I fully expect that they tried where the could to move laterally and compromise other systems.”

Fidelis also has not linked Cozy Bear with the SolarWinds operation.

APT29’s stubbornness doesn’t just stand out once it’s inside a network — it is dogged from the outset, said Jamil Jaffer, a former House Intelligence Committee and White House aide.

“An attacker like Cozy Bear will spend the time and energy to get in where they want to get in, they will take as long as they need to, and use the resources they can,” said Jaffer, senior vice president at IronNet Cybersecurity and founder and executive director of the National Security Institute at George Mason University. “If it’s a high-enough value target, they will wait until they’re in.”

FireEye, the security firm that first uncovered the SolarWinds breach, said Wednesday it has worked with Microsoft and GoDaddy to develop a killswitch for SUNBURST to try to kneecap the hackers’ campaign. But the effort won’t root the hackers out of systems they’ve already successfully accessed with other backdoors that would allow them to continue to wreak havoc.

“[I]n the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor,” FireEye said. “This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult … for the actor to leverage the previously distributed versions of SUNBURST.”

Twists and turns

Security researchers have noted that monitoring APT29’s behaviors can be more difficult compared with similar efforts to track other Russian government-linked hacking groups, in part because they regularly overhaul their methods along the way.

The cybersecurity company Volexity has dubbed the hackers responsible for the SolarWinds breach “Dark Halo,” but given the similarities between those attackers and APT29, it’s plausible they are one and the same, said Steven Adair, founder and president.

Volexity responded to three separate incidents at a U.S. think tank over 2019 and 2020 that it linked to Dark Halo. For a while, the hackers continued to change “their tooling, their malware and how they did it so much that [Volexity] literally wouldn’t be able to link two incidents,” Adair said. Eventually, though, the company found enough commonalities in those incidents to tie them together and subsequently connect them to the SolarWinds breach.

Hackers that can run these kinds of shape-shifting campaigns provide attribution conundrums for security researchers.

And while APT29 has a reputation for careful, long-term espionage operations, ESET researchers have not found evidence that the SVR-linked hackers have conducted a supply chain attack like the SolarWinds breach in the past, making their next move, if they are indeed the culprits in the this espionage operation, a little more unpredictable.

That unpredictability, and the diversity of Cozy Bear’s tactics through the years, may make it harder to know right now whether the suspected SolarWinds hackers have other tricks up their sleeve or whether they will retreat from their apparent espionage operation. “They don’t give up easily,” Faou noted. “But when they give up, they totally disappear.”

-In this Story-

Russia, SolarWinds