As the Russian cyber threat heats up, it is becoming clearer that the protection of US and European national interests is increasingly in the hands of civilians at IT and software companies. American and European IT businesses that on the surface have nothing to do with the government are unwittingly serving as stepping-stones for enemy state cyberattacks and espionage campaigns. If these attacks are successful, they could not only have devastating effects on government and military secrets but also jeopardize trust in the software supply chain that is increasingly at the heart of the modern economy.
During recent months, my company, along with other large companies, including Microsoft, have seen the Russian hacking group APT29 — blamed for the massive SolarWinds cyberattack and the 2015 infiltration of the Democratic National Committee — quietly trying to gain access to large IT companies, mainly those that offer cloud-based software services to businesses and government organizations. The threat of damage looms large, especially because the agile and deep-pocketed group shows no signs of stopping. APT29 will continue to target individual workers at software supply chain companies, mainly through phishing campaigns, and use hard-to-detect, unique tools to turn these service providers into proxies for carrying out espionage attacks against sensitive targets like military or government agencies.
APT29 is not interested in Microsoft or other IT companies themselves, or even in their direct customers, which offer customized cloud software products. Rather, they intend to use them as proxies to attack subscribers and users further down the chain, which may include defense companies, government agencies, or contractors with valuable or classified information. Governments, contractors, and corporations increasingly rely on cloud services, partly for the flexibility they allow for services from multiple software vendors.
In a recent case we mitigated at a cloud-based software company, APT29 did not attempt to take or otherwise compromise any data from the large software company itself. Rather, the hackers attempted to find which individuals in the software company hold information about or are connected to customers that are the ultimate targets. They initially reached these employees through phishing campaigns, and then were able to use a unique tool to take over and use their legitimate network connections as proxies to potentially reach the ultimate targets but remain undetected. The tool, which we discovered, does not siphon off information, but rather just allows the hackers to use accounts and connections as proxies to reach other targets.
This targeting of certain employees, based on their potential connections to eventual targets, is a unique and new approach for APT29. It's a tedious process that the hackers carried out over time, perhaps for nearly a year, undetected inside the software supplier. Although this was the same group that the US government has blamed for the SolarWinds attack, this attack, from what we saw, was quite different. In this case, the hackers sought out possible connections only to certain customers of the software company rather than simply targeting everyone through a malicious software update as happened in the SolarWinds attack. The fine-tuned nature of the attacks points to the operatives receiving guidance and other intelligence beforehand from their handlers.
Once the cyberattackers are inside software service providers, they gain not just the access but also the knowledge needed to carry out sophisticated phishing attacks on valuable targets that are connected to the software suppliers. It is easy to see how those working at the targets themselves would open up emails, and even download attachments that look like they come from their software service providers. Ultimately, this can lead to malware on the networks of government organizations and defense companies that allows the attackers ongoing access to valuable or classified information. This shows that no matter how well protected the end targets may think they are, there is increasingly a backdoor via their software supplier or anyone they have digital connections with.
Because these actors are relying mainly on phishing to get into the software suppliers and the actual targets further down the chain, there is no easy technological solution, like patching a list of vulnerabilities. All of this means it is largely up to humans inside private-sector companies to prevent such attacks through the usual, although often ignored, methods, like using multifactor authentication and teaching employees to recognize phishing attempts.
Our intelligence indicates that APT29 and other state actors will continue to target software supply chain companies, especially those that serve the military, defense, or key technology sectors in the US and Europe. The growing cloud computing sector is expected to be worth $1.25 trillion by 2028, and is vital to managing everything from infrastructure to supply chains to online banking. If not well secured, the software supply chain will continue to pose an enormous risk to national security and the economy.