A few days back we saw the Groove gang urging all ransomware gangs to come together and target the U.S. public sector. Now, a report found that Russian military hackers employed a particular technique to hide their activities while attacking high-level American targets.
What’s going on?
The hackers—reportedly belonging to Russia’s Foreign Intelligence Service—leverage residential IP proxies to gain access and mask their activities. Residential proxies are IP addresses with a certain location and can be bought on the internet. These hackers are the same ones who conducted the infamous SolarWinds attack, dubbed Nobelium by Microsoft. The main targets of the campaign included government agencies and several industries that are related to Russian affairs.
How did they do it?
- Residential proxies allowed the attackers to pass their internet traffic via a home user. This makes the traffic appear to have originated from a residential broadband customer in the U.S. instead of somewhere else, such as Eastern Europe.
- Nobelium utilized at least two residential proxy providers, which have not yet been identified.
- The campaign has been ongoing for months as the hackers use huge pools of local IP addresses to guess passwords. This ensures that they do not make attempts to log into the same account through the same IP address a few times.
Why this matters
Residential IP proxies have become a favorite tool among cybercriminals as they can be used for a lot of malicious activities while pretending to be an innocent, local user based in the U.S. Some proxy providers used by Nobelium and other threat actors include Oxylabs, Bright Data, and IP Burger. These companies are often used by several hacking groups. By using IP addresses belonging to Americans, activities by Russian hackers seemed to be less suspicious. Between July 1 and October 19, Nobelium has attacked 609 Microsoft customers 22,869 times.
The bottom line
This latest activity indicates that Russia is attempting to gain persistent access to technology supply chains and implement a surveillance mechanism for targets of interest to the Russian government. While the technique of leveraging residential IP proxies might seem to be quite prosaic, it has definitely enabled hackers to stay busy and hidden. Microsoft has issued technical guidelines for organizations to protect themselves from such activities.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_353173568.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/cebf_shutterstock_1044761977.jpg)
