Russian government associated Cozy Bear or Advanced Persistent Threat 29 hacking group are continuing their reconnaissance activities, utilising several new stealthy intrusion techniques that allowed them stay undetected in victim networks, according to researchers.
Security vendor Crowdstrike published a detailed analysis of the StellarParticle campaign, documenting techniques such as browser cookie stealing to bypass multi-factor authenticaiton (MFA) and new Windows and Linux malware.
Cozy Bear would also perform "credential hopping" by logging into public-facing systems through Secure Shell (SSH) remote access software, using a local account captured during earlier credential theft activities, Crowdstrike said.
Once logged in via SSH, the hackers were able to port-forward Remote Desktop Protocol (RDP) sessions to internal servers, using domain service account, the security vendor noted.
This enabled the hackers to create further RDP sessions to other internal servers, using domain administrator accounts, and log into Office 365 with privileged access to cloud resources, Crowdstrike said.
Credential hopping and using Chrome browser cookie theft to bypass MFA that protects cloud resources are both difficult to detect as the hackers used strict operational security to hide their activities, but Crowdstrike was nevertheless able to capture some artifacts left by the threat actors.
A new piece of malware, the low prevalence TrailBlazer for Windows that masquerades control and command traffic as legitimate Google Notifications HTTP requests was also found by Crowdstrike.
Crowdstrike also discovered a Linux variant of the Windows GoldMax backdoor that was deployed in mid-2019.
Other intrusion and credentials theft techniques used in the StellarParticle campaign showed the attackers high level of sophistication and expertise that helped them avoid detection for years.
"The StellarParticle campaign, associated with the COZY BEAR adversary group, demonstrates this threat actor’s extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and their patience and covert skill set to stay undetected for months — and in some cases, years," Crowdstrike researchers said.
Cozy Bear's goal with the StellarParticle campaign appear to be gathering sensitive information about services and products provided by victim organisations, Crowdstrike said.
This included the hackers viewing internal business operations documents, and internal knowledge repositories such as Wikis.
The StellarParticle campaign is ongoing, Crowdstrike said, and related to the Sunspot implant found in the well-publicised SolarWinds supply-chain hack, in December 2020.
Security experts and the United States government have tied the Cozy Bear hacking attacks to Russia's Foreign Intelligence Service.