Cybersecurity experts gain access to servers of hackers who attacked 4,700 SolarWinds’ clients

Researchers at the Swiss-based cybersecurity firm Prodaft recently announced the identification of a massive hacking campaign allegedly linked to the SolarWinds incident. In their report, experts say that last August a hacking group identified as Silverfish began a massive campaign to steal sensitive data in public and private organizations around the world.

This group of experts claims that it was able to infiltrate the hackers’ C&C servers, discovering that Silverfish successfully compromised about 4,700 victims in the most recent months. Prodaft’s report points to multiple links between this campaign and the attack on the SolarWinds supply chain.

As you may remember, these attacks managed to compromised many of the world’s leading companies, including defense contractors, automotive companies and IT service firms, not to mention the multiple government organizations affected in the US and some European countries.

Prodaft’s investigation began in December 2020, when one of its customers requested a full analysis of their systems, affected by the malicious SolarWinds Orion update. Based on a number of indicators of compromise, researchers created a fingerprint of SolarWinds attacks, executing IPv4 scanning processes to identify other incidents with similar characteristics.

Soon after, the experts discovered at least a dozen C&C servers used by hackers to track affected systems and send arbitrary commands. Researchers mention that they gained access to at least two servers by exploiting some unpatched flaws.

Subsequent analyses showed evidence that could indicate that this group has been active since August 2020. On these servers experts also found links to known victims of the SolarWinds attack, through indicators such as IP addresses, usernames and command execution: “This hacker group had four systems linked to the compromise of government systems and large corporations,” the report says.

This report also confirms the finding of evidence suggesting that the C&C servers of this hacking group operated from Russia and Ukraine. In addition, some of these servers were shared with a Russian hacking group known as Evil Corp.

The Russian threat actors’ hypothesis began in January 2021, when experts from security firm Kaspersky revealed the finding of information linking this attack to the hacking tools employed by the Cybercriminal Group Turla, backed by the Russian government. This report mentions that Sunburst, the malware used by SolarWinds hackers, was used in conjunction with the Kazuar backdoor, mainly used by Turla for infection by government systems around the world.