The Russian hackers behind a sweeping 2020 breach of US government networks have in recent months continued to hack US organizations to collect intelligence while also targeting an unnamed European government that is a NATO member, cybersecurity analysts tell CNN.
The new findings show how relentless the hacking group — which US officials have linked with Russia’s foreign intelligence service — is in its pursuit of intelligence held by the US and its allies, and how adept the hackers are at targeting widely used cloud-computing technologies.
The hacking efforts come as Russia’s invasion of Ukraine continues to fray US-Russia relations and drive intelligence collection efforts from both governments.
“In recent months, [the hacking group] has compromised the networks of US-based organizations that have data of interest to the Russian government,” said Charles Carmakal, senior vice president and chief technology officer at US cybersecurity firm Mandiant, which has responded to the hacks. Carmakal declined to elaborate on the types or number of US organizations that had been breached.
In separate activity revealed Tuesday, US cybersecurity firm Palo Alto Networks said that the Russian hacking group had been using popular services like Dropbox and Google Drive to try to deliver malicious software to the embassies of an unnamed European government in Portugal and Brazil in May and June.
Though it’s unclear how successful those hacking attempts were, they could offer the hackers a foothold into computer networks to collect intelligence, Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42, told CNN.
The two hacking campaigns offer the latest example of how the elite Russian hacking group tried to evade US government and private investigators pursuing it.
The Russian hacking group is best known for using tampered software made by federal contractor SolarWinds to breach at least nine US agencies in activity that came to light in December 2020. The attackers were undetected for months in the unclassified email networks of the departments of Justice, Homeland Security and others.
The group continued to target US and European government networks, and software providers serving them, throughout 2021, according to researchers.
Google and Dropbox told CNN that they took steps to thwart the latest hacking activity.
“We were aware of the activity identified in this report, and had already proactively taken steps to protect any potential targets,” said Shane Huntley, senior director of Google’s Threat Analysis Group.
A Dropbox spokesperson told CNN that the company “disabled user accounts” involved in the alleged Russian hacking campaign “immediately” after they were reported.
Russian tracking of Ukrainian hackers
Another sign of Russia’s voracious appetite for intelligence came Tuesday when researchers from Google’s Threat Analysis Group (TAG) detailed a possible effort, linked with Russia’ FSB intelligence service, to track Ukrainian hackers who have targeted Russian organizations.
The hacking group set up a web application designed to mimic a tool used by the Ukraine IT Army — a band of hackers encouraged by the Ukrainian government that has targeted Russian corporate and government websites, according to Google. From there, the hackers may have been able to track who downloaded the app and potentially collect information on Ukrainian hackers who have been a thorn in the side of the Russian government.
Someone even sent a link to download the bugged app in the Ukrainian IT Army’s Telegram channel, according to Billy Leonard, a security engineer at Google TAG.
The group responsible, Leonard said, is known as Turla. It is considered one of the Russian government’s top-tier espionage teams alongside the hacking group responsible for the SolarWinds intrusions and other groups, and has been linked to skilled break-ins of Western government networks for years.
Since Russia’s full-scale invasion of Ukraine in February, Turla has targeted government organizations in Latvia, Lithuania and other European countries, Leonard said. But this was the first time the hackers were spotted in Ukraine in four or five months, Leonard told CNN.
Adrian Nish, a cybersecurity executive at BAE Systems Applied Intelligence who also observed the Turla activity, said that it made sense for Russian hacking teams to search for new intelligence in Ukraine as the war drags on.
“Given Russia’s faltering progress in achieving their goals in Ukraine it is to be expected that efforts of state intelligence apparatus are focused on gathering information on and disrupting opposition forces in any way that they can,” Nish told CNN.