The two new threat actor entities associated with the attacks are UNC3004 and UNC2652, which Mandiant researchers say are affiliated with UNC2452, the SolarWinds threat actor that Microsoft dubbed Nobelium. 
Among the targets of this activity, there have been technology solutions and services providers, reseller companies, government entities, consulting organizations, and NGOs in North America and Europe, according to Mandiant researchers. 
“We have seen this threat actor ultimately target government entities, consulting organizations and NGOs in North America and Europe who directly have data of interest to the Russian government,” according to Doug Bienstock, manager of incident response at Mandiant. 
The threat actor used various techniques, including remote desktop protocol to pivot between systems that had limited internet access and execute numerous Windows commands, according to Mandiant. In one case, Windows Task Manager was used to dump process memory that belonged to LSASS. The threat actor also obtained the Azure AD Connect configuration, along with the associated AD service account and the key material used to encrypt service account credentials, according to Mandiant. 
The Active Directory Federation Services signing certificate and key material was obtained, which allowed the threat actor to forge a SAML token, which could be used to bypass 2FA and conditional access policies to reach Microsoft 365. 
In several campaigns the threat actor hosted second-stage payloads using compromised WordPress sites. This was not linked to the recent WordPress attack linked to GoDaddy, according to Bienstock.
This particular threat actor activity has been ongoing since 2020, and points to the targeted, low and slow nature commonly associated with nation state threat actors, according to Allie Mellen, analyst, security and risk at Forrester. 
“We are seeing an ongoing trend of threat actors targeting third-parties as an entryway into higher profile targets like governments and NGOs, as seen here,” Mellen said via email. “What is most important for organizations to take away from this is that, if they work with a high-profile target such as a government, they may become a target for nation-state attackers as they look for a way in.”
Mellen warned that for any high-profile target, third-party relationships are a potential gateway for an attack on your organization. 
Get the free daily newsletter read by industry experts
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
More than 80% of developers knowingly release applications with insecure code, but experts say security and development don't have to be at odds.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
More than 80% of developers knowingly release applications with insecure code, but experts say security and development don't have to be at odds.
The free newsletter covering the top industry headlines

source