Hacking Spree by Suspected Russians Included US Think Tank

Hacking Spree by Suspected Russians Included US Think Tank

The suspected Russian hackers behind a global campaign of cyberattacks that have breached U.S. government agencies also hit an American think tank, according to a cybersecurity firm that has been fighting them off.

For the better part of a year, investigators at Volexity have been battling hackers that they have dubbed “Dark Halo,” according to the company’s president, Steven Adair. He said the hackers have made three attempts to access emails at one of its customers, a U.S. based think tank, which he declined to name.

“This is a threat actor where on multiple occasions we’ve battled them out of a network only to find them returning because of a new vulnerability and do some tricks to try and stay under the radar or otherwise get access back to the network to be removed again and then come back a third time,” Adair said.

In the most recent attack, hackers used the same vulnerability in SolarWinds software that was cited in breaches on U.S. government agencies. In addition to the Department of Homeland Security, Treasury and Commerce, the State Department and the National Institutes of Health were also breached, The Washington Post reported. The hacking campaign also included an attack on the cybersecurity firm FireEye Inc.

That vulnerability was installed by hackers in the company’s legitimate updates to its widely used Orion software, which could allow them to compromise the servers on which its running, according to a statement from SolarWinds. The company said as many as 18,000 customers had installed the malicious update, meaning the networks are infected but haven’t necessarily been hacked.

Investigators have accounted for “dozens” of victims of the targeted campaign, said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm. The attackers targeted and compromised “high value targets, both government and commercial entities,” he said.

A notorious hacking group tied to the Russian government, APT 29, is a prime suspect in the attacks. The group is also known as Cozy Bear and “the Dukes,” and while Volexity calls it “Dark Halo,” Adair said they believe it is the same group of hackers that attacked government agencies. A spokesman for the Kremlin denied the allegation.

Volexity’s account appears to be the first confirmation that the tampered SolarWind software was used in an attack outside the U.S. government or FireEye, the cybersecurity firm that first discovered it. It’s an indication that the hackers may be using the vulnerability against a wider range of targets, including think tanks.

SolarWind clients around the world are combing their networks for any trace of the hackers, which could increase the number of known victims in the coming days. Bloomberg News contacted dozens of companies identified by SolarWinds on its website as customers. Many that responded, including Ericsson, Siemens AG and Swisscom AG, said they were investigating whether they were impacted.

Volexity worked on the breaches at the think tank in late 2019 and 2020, according to a blog post published Monday.

In the first breach, the attackers used “multiple tools, backdoors and malware implants” that allowed them to remain undetected for years, Volexity wrote. After being removed from the network, the hackers returned a second time and exploited a vulnerability in the organization’s Microsoft Exchange Control Panel, according to Volexity.

In the third incident, in July, the hackers breached the think tank through its SolarWinds’ software, according to the cybersecurity company.

“The primary goal of the Dark Halo threat actor was to obtain the emails of specific individuals at the think tank,” Volexity said, in its blog post. “This included a handful of select executives, policy experts and the IT staff of the organization.”

More than a dozen firms and customers have contacted Volexity, and some of them said the infected software had sat idle on their networks.

“We encountered some customers that were years behind in their updates,” he said. “People who did that with their SolarWinds software inadvertently were in a more secure position.”

Adair said the recent news of the global hacking campaign, including FireEye’s Dec. 13 blog post revealing the malicious updates in SolarWinds software, helped nail down theories he and other Volexity investigators were already pursuing.

“We had a pretty good guess of who it was, and then the news basically cemented what we had thought. It let us quickly fill in the remaining blanks we had,” he said. “We’re certain it’s the same group.”

___

©2020 Bloomberg L.P.

Distributed by Tribune Content Agency, LLC

A+
a-
  • cybercrime
  • federal agencies
  • federal government
  • hacking
  • Russia
  • think tank
  • In The News

    Health

    Voting

    Cybercrime

    April 29, 2025
    by Tom Ramstack
    FBI Reports Sharp Increase in American Cybercrime Victims

    WASHINGTON — The FBI’s new Internet Crime Report released last week shows Americans lost $16.6 billion to cybercrime in 2024... Read More

    WASHINGTON — The FBI’s new Internet Crime Report released last week shows Americans lost $16.6 billion to cybercrime in 2024 despite an intensified government effort to stop it. The losses were up by one-third from a year earlier.  Fraud was the most common crime, particularly among... Read More

    March 10, 2025
    by Dan McCue
    Cyberattack Puts X on Ice as Social Media Platform Suffers Multiple Outages

    WASHINGTON — If at first you don’t succeed, hit retry and retry and retry again. That was the message from... Read More

    WASHINGTON — If at first you don’t succeed, hit retry and retry and retry again. That was the message from Elon Musk’s X as the social media platform experienced multiple outages on Monday. Musk attributed the outages to a "massive" and unusual cyberattack. “We get attacked... Read More

    The US and Microsoft Disrupt a Russian Hacking Group Targeting American Officials and Nonprofits

    WASHINGTON (AP) — A hacking group tied to Russian intelligence tried to worm its way into the systems of dozens... Read More

    WASHINGTON (AP) — A hacking group tied to Russian intelligence tried to worm its way into the systems of dozens of Western think tanks, journalists and former military and intelligence officials, Microsoft and U.S. authorities said Thursday. The group, known as Star Blizzard to cyberespionage experts,... Read More

    June 24, 2024
    by Tom Ramstack
    Russian Software Company Sanctioned as US Warns of Espionage Threat

    WASHINGTON — The U.S. Treasury Department on Friday sanctioned a Russian software company that sells antivirus and cybersecurity software in... Read More

    WASHINGTON — The U.S. Treasury Department on Friday sanctioned a Russian software company that sells antivirus and cybersecurity software in the United States, some of it to government agencies. The Treasury Department said it found links between Kaspersky Lab and the Russian military indicating the software... Read More

    October 7, 2023
    by Dan McCue
    Hackers Access DC Voter Records

    WASHINGTON — Hackers breached the District of Columbia's Board of Elections website on Thursday, gaining access to 600,000 "lines" of... Read More

    WASHINGTON — Hackers breached the District of Columbia's Board of Elections website on Thursday, gaining access to 600,000 "lines" of U.S. voter data, including D.C. voters reports, city officials said. Sarah Winn Graham, the spokeswoman for the board, said a hacking group known as RansomVC claimed... Read More

    July 18, 2023
    by Tom Ramstack
    Congress Told AI Holds Great Risks and Benefits for US Military

    WASHINGTON — Artificial intelligence experts warned Tuesday during a congressional hearing of ominous dangers for the United States if it... Read More

    WASHINGTON — Artificial intelligence experts warned Tuesday during a congressional hearing of ominous dangers for the United States if it falls behind in developing the technology but a bright future by taking the lead. One of the greatest risks would be defending against a foreign enemy... Read More

    News From The Well
    scroll top