New details of an extended cyber espionage campaign directed against private corporations are emerging, and there are indications that it is backed by Russian state-backed advanced persistent threat (APT) groups. The campaign, which has been active since at least December 2019, seems to be focused on corporate M&A deals.
The hackers appear to be content to quietly penetrate systems and monitor email traffic, sometimes for months at a time. The level of patience and lack of immediate for-profit action linked to the groups are also strong indications that a nation-state hacking team is involved, but it is still unclear exactly what the motivation or overall plan for this information is.
Profit motive yet to emerge in extensive M&A spying campaign
Much of the investigation into the mysterious cyber espionage team has been conducted by security firm Mandiant, which sees specific evidence in the group’s tools and tactics that points to the involvement of the infamous Russian “Cozy Bear” hacking team. This is the group that has been named as the culprit in the 2016 hacking of the Democratic National Committee and the recent breach of SolarWinds, among their other high-profile adventures over the past decade.
So there is a strong indication that Russia has developed an interest in M&As throughout the world, but their exact plan for this cyber espionage campaign remains unclear. Criminal actors have been targeting M&As frequently over the past two years, but they usually take quick action to take advantage of the situation (either by deploying ransomware or threatening to manipulate stock prices). If the Russians are behind this attack, they seem content to simply gather information over long periods of time without making any obvious for-profit moves.
Cyber espionage campaign focuses on combing, monitoring corporate email systems
Mandiant finds that the cyber espionage effort is focusing on the emails of targets, searching entire networks for terms relating to M&A discussions and corporate transactions using specialized tools. In 2021, threat groups had an average dwell time of 21 days; this group has lingered for as long as 18 months harvesting information while managing to evade detection.
Part of the group’s success lies with its advanced use of Internet of Things (IoT) devices. It specifically targets IoT cameras known to have security flaws, and has amassed a very large botnet that it employs in attacks. It also targets a variety of IoT devices that are not protected by antivirus or endpoint protection solutions and that are known to no longer receive vendor security updates.
The M&A attackers seem to have a preference for Microsoft Exchange and Microsoft 365 Exchange Online servers, and while they scoop up emails from across the range of a network they do seem to have some particular priorities. They look for recent messages, generally disregarding anything past a certain date, and pay special attention to executive and IT staff mailboxes. Since the group is so focused on compromising IoT devices, Mandiant suggests that successful defense will require logging network traffic for suspicious patterns.