Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Researchers Dive into the Operations of SilverFish Cyber-Espionage Group

Researchers with the PRODAFT Threat Intelligence Team took a deep dive into the operations of the SilverFish cyber-espionage group and linked one of its command and control (C&C) servers with recent high-profile malicious attacks.

Researchers with the PRODAFT Threat Intelligence Team took a deep dive into the operations of the SilverFish cyber-espionage group and linked one of its command and control (C&C) servers with recent high-profile malicious attacks.

The investigation, which started from indicators of compromise (IOCs) published for the December 2020 SolarWinds attacks, has led the researchers to identifying a new advanced persistent threat (APT) group called SilverFish, which has conducted cyber-attacks on at least 4,720 targets worldwide.

Focused on espionage, the group set its eyes on governmental institutions, international IT providers, entities in the aviation industry, and companies in the defense sector.

Extremely well-organized, the researchers claim the group is believed to have close connections with the SolarWinds attacks, as well as with EvilCorp (also known as TA505), the Russian-speaking cyber-crime group that operates TrickBot, Dridex, and other well-known malware families.

“We believe our findings will reveal several previously-unknown tools, techniques and procedures related to one of the most high-profile APT groups in history,” the PRODAFT Threat Intelligence Team notes in their report.

[ ALSO READ: Second Group May Have Targeted SolarWinds ]

Some of the most notable victims of the group include a “three letter” US agency, a US military contractor, global IT manufacturers and solution providers, European automotive manufacturing groups, aviation and aerospace manufacturers, banking institutions in the US and Europe, health departments, police networks, US public institutions, IT security vendors, pharmaceutical companies, and more.

Having access to one of threat actor’s C&C servers, the researchers discovered that the group is formed of multiple teams, with the infrastructure likely designed to serve all of them. On the C&C’s dashboard, the attackers would post comments in both English and Russian.

Advertisement. Scroll to continue reading.

Analysis of the C&C panel revealed that the group has successfully compromised “nearly all critical infrastructures (as defined in the NIST Cyber Security Framework),” with half of the victims having a market value in excess of $100 million.

“While the United States is by far the most frequently targeted region, with 2465 attacks recorded, it is followed by European states with 1645 victims originating from no less than 6different member states,” the report reveals.

The researchers also note that the group is mainly focused on reconnaissance and data exfiltration, that it is well organized (administrator accounts manage the C&C server, hackers work between specific hours), that they have developed a malware detection sandbox that leverages actual live victim servers, and that, although the investigation focused on US and Europe, the group has ongoing campaigns in other parts of the world as well.

In the C&C source code, the researchers discovered the nicknames and ID numbers of 14 people who appear to be working under the supervision of 4 different teams. Furthermore, the PRODAFT Threat Intelligence Team linked some of these with profiles on underground hacking forums.

Following initial compromise, the hackers leverage publicly available red teaming tools to gain a foothold onto the victim systems, perform reconnaissance, and exfiltrate data of interest. The attackers use compromised domains to redirect traffic to their C&C, creating subdomains to avoid disrupting legitimate traffic.

“Considering the change frequency of the domains, we believe that the SilverFish group has more than thousand already compromised web sites which are rotated almost every other day. Our research also shows that significant number of the compromised websites were using WordPress,” the report reads.

The SilverFish group, the researchers say, appears involved in multiple ongoing operations that employ the same tools, tactics, and procedures (TTPs), but target different regions, for different motives. The group is believed to be the first to have targeted EU states using the SolarWinds vulnerabilities.

“At this stage, we do not have a complete understanding of the clear purpose of these attacks other than those of the group’s previous operations. This means we have yet to receive information about data exfiltration or the utilization of ransomware. Regardless, the attacker has clearly shown that they possess the motivation, willingness, and capacity to plan and execute activities of this character and scale,” the researchers conclude.

Related: New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds

Related: Elusive Lebanese Threat Actor Compromised Hundreds of Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...