Russian Hackers Used Home Networks to Evade Detection

William Turton

27 Oct 2021, 01:04 AM IST

(Bloomberg) -- When an elite team of Russian government hackers attempted to break into hundreds of intelligence targets this year, they used a clever tool to cover their tracks: the mobile and home computer networks of unsuspecting Americans, according to several cybersecurity experts.

The hackers, who are believed to be working for Russia’s Foreign Intelligence Service, leveraged what is known as “residential IP proxies” in order to gain access and evade detection, the experts said.

In a campaign disclosed by Microsoft Corp. on Monday, the company said it notified “609 customers that they had been attacked 22,868 times” by the hackers since May, with a success rate in the low single digits. Microsoft has named the Russian hacking group “Nobelium.” The same group was also accused of being behind the SolarWinds Corp. attack that was disclosed last December.

The primary targets of the campaign, which is believed to be ongoing, are “government organizations and other organizations that deal in matters of interest to Russia,” said Charles Carmakal, senior vice president of the cybersecurity firm Mandiant Inc., which worked with Microsoft to identify the alleged Russian attacks. Carmakal said the hackers used residential IP proxies, which are IP addresses associated with a specific location that can be purchased on the internet.

The intended victims include U.S. government agencies, non-government organizations and computer-security firms, according to another person familiar with the attacks, who requested anonymity to discuss confidential matters.

The Russian Embassy in Washington didn’t respond to a request for comment.

As was the case with the SolarWinds breach, the Russian hackers targeted entities “integral to the global IT supply chain,” according to Microsoft. And they used a roundabout way to try to breach their ultimate victims.

In the hack against SolarWinds, which provides IT monitoring software and management tools, the attackers placed malware in updates for a popular software product. By updating the software, SolarWinds’s customers inadvertently installed a digital backdoor that could later use for further infiltration. Ultimately, about 100 companies and nine U.S. agencies were breached in further attacks.

In the more recent cyberattacks, the hackers focused on companies that provided technology services to the ultimate targets, according to Microsoft. In doing so, they may have been attempting to find a weaker link and perhaps bypass security controls of the intended victim. In one example detailed by Microsoft, they compromised four different providers before breaching their target. The technology service providers were attacked by a variety of means, including malware, spearphishing and by attempting to guess passwords.

By using residential IP proxies, the hackers’ efforts to breach a network would appear less suspicious, originating from U.S. mobile phones or home internet networks as opposed to computers in Russia. From the outside, what may be an attack by a Russian hacker might look like an employee struggling to log in from their mobile phone.

“Residential proxies enable someone to launder their internet traffic through an unsuspecting home user to make it appear as if the traffic was originated from a U.S. residential broadband customer instead of from somewhere in Eastern Europe, for example,” Doug Madory, director of internet analysis, at cybersecurity firm Kentik Inc.

The hackers used the services of at least two residential IP proxy providers, according to Carmakal, who declined to identify them.

The hackers have been able to carry out their campaign for months while evading detection, Carmakal said. “They are using gigantic pools of local IP addresses to guess passwords. So they don’t often attempt to log into the same account via the same IP address multiple times.”

Marc Rogers, vice president of cybersecurity strategy at Okta Inc., said, “Residential proxies are now the preferred choice of a wide range of cybercriminals.”

“Now they are used for lots of stuff because you can look like an innocent residential user in Georgia,” he said.

Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, said residential proxy providers have been used by Nobelium and other hacking groups to bypass security controls. He identified Bright Data, Oxylabs, IP Burger as proxy providers used by Nobelium and other hacking groups to bypass security controls. Yoo said his company tracks those companies because they are often used by hacking organizations.

Another person familiar with the tactics of Nobelium confirmed that Nobelium used the three proxy providers named by Yoo.

Bright Data, which is based in Israel, said in a statement that they had found no indication that its networks were used by Nobelium. In an interview, Bright Data Chief Executive Officer Or Lenchner said that the company conducts rigorous compliance and verification of its customers.

Vaidotas Sedys, head of risk management at Lithuania-based Oxylabs, said, “We have been carrying out an internal investigation in light of the information recently posted by Microsoft. Our internal investigation has not revealed any misuse of our services.”

Bloomberg News wasn’t able to determine where IP Burger is operated from, or who owns the company, which didn’t reply to a request for comment via its website.

Yoo said the proxy companies insist that they monitor for malicious activity but “in practice it is close to impossible.”

“They claim they do ‘Know Your Customer’ and ask for documents and sign agreements,” he said, referring to process used to verify the identity and potential risk of customers. “But it is very easy to bypass it, especially for state actors who might claim they are a marketing firm.”