Why the Private Sector Is Key to Stopping Russian Hacking Group APT29

Left unchecked, these attacks could have devastating effects on government and military secrets and jeopardize the software supply chain and the global economy.

Shmulik Yehezkel, Chief Critical Cyber Operations Officer & CISO, CYE

December 13, 2021

4 Min Read
Hacker with map
Source: NicoElNino via Alamy Stock Photo

As the Russian cyber threat heats up, it is becoming clearer that the protection of US and European national interests is increasingly in the hands of civilians at IT and software companies. American and European IT businesses that on the surface have nothing to do with the government are unwittingly serving as stepping-stones for enemy state cyberattacks and espionage campaigns. If these attacks are successful, they could not only have devastating effects on government and military secrets but also jeopardize trust in the software supply chain that is increasingly at the heart of the modern economy. 

During recent months, my company, along with other large companies, including Microsoft, have seen the Russian hacking group APT29 — blamed for the massive SolarWinds cyberattack and the 2015 infiltration of the Democratic National Committee — quietly trying to gain access to large IT companies, mainly those that offer cloud-based software services to businesses and government organizations. The threat of damage looms large, especially because the agile and deep-pocketed group shows no signs of stopping. APT29 will continue to target individual workers at software supply chain companies, mainly through phishing campaigns, and use hard-to-detect, unique tools to turn these service providers into proxies for carrying out espionage attacks against sensitive targets like military or government agencies. 

APT29 is not interested in Microsoft or other IT companies themselves, or even in their direct customers, which offer customized cloud software products. Rather, they intend to use them as proxies to attack subscribers and users further down the chain, which may include defense companies, government agencies, or contractors with valuable or classified information. Governments, contractors, and corporations increasingly rely on cloud services, partly for the flexibility they allow for services from multiple software vendors. 

In a recent case we mitigated at a cloud-based software company, APT29 did not attempt to take or otherwise compromise any data from the large software company itself. Rather, the hackers attempted to find which individuals in the software company hold information about or are connected to customers that are the ultimate targets. They initially reached these employees through phishing campaigns, and then were able to use a unique tool to take over and use their legitimate network connections as proxies to potentially reach the ultimate targets but remain undetected. The tool, which we discovered, does not siphon off information, but rather just allows the hackers to use accounts and connections as proxies to reach other targets. 

This targeting of certain employees, based on their potential connections to eventual targets, is a unique and new approach for APT29. It's a tedious process that the hackers carried out over time, perhaps for nearly a year, undetected inside the software supplier. Although this was the same group that the US government has blamed for the SolarWinds attack, this attack, from what we saw, was quite different. In this case, the hackers sought out possible connections only to certain customers of the software company rather than simply targeting everyone through a malicious software update as happened in the SolarWinds attack. The fine-tuned nature of the attacks points to the operatives receiving guidance and other intelligence beforehand from their handlers. 

Once the cyberattackers are inside software service providers, they gain not just the access but also the knowledge needed to carry out sophisticated phishing attacks on valuable targets that are connected to the software suppliers. It is easy to see how those working at the targets themselves would open up emails, and even download attachments that look like they come from their software service providers. Ultimately, this can lead to malware on the networks of government organizations and defense companies that allows the attackers ongoing access to valuable or classified information. This shows that no matter how well protected the end targets may think they are, there is increasingly a backdoor via their software supplier or anyone they have digital connections with. 

Because these actors are relying mainly on phishing to get into the software suppliers and the actual targets further down the chain, there is no easy technological solution, like patching a list of vulnerabilities. All of this means it is largely up to humans inside private-sector companies to prevent such attacks through the usual, although often ignored, methods, like using multifactor authentication and teaching employees to recognize phishing attempts. 

Our intelligence indicates that APT29 and other state actors will continue to target software supply chain companies, especially those that serve the military, defense, or key technology sectors in the US and Europe. The growing cloud computing sector is expected to be worth $1.25 trillion by 2028, and is vital to managing everything from infrastructure to supply chains to online banking. If not well secured, the software supply chain will continue to pose an enormous risk to national security and the economy.

About the Author

Shmulik Yehezkel

Chief Critical Cyber Operations Officer & CISO, CYE

After more than 25 years in the military and the Israeli defense special forces, Shmulik joined the CYE team as Chief Critical Cyber Operations Officer & CISO. Shmulik leads the Critical Cyber Operation division (C2OPS). The C2OPS division is responsible for CYE operative operations and is composed of four main centers: data forensics and incident response (DFIR), threat hunting & computer threat intelligence (CTI), advanced cyber architecture & engineering, and the VIP security center. Shmulik is a software engineer and cyber security professional with extensive strategic and hands-on experience. Shmulik brings years’ worth of experience leading cyber operations, cyber R&D, information security, and risk management in the Israel Defense Forces, the Ministry of Defense, and the Office of the Prime Minister of Israel.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights