SolarWinds Group, UNC2452 Linked to APT29
Industry: Education, Government, Medical, Technology, Telecommunications | Level: Strategic | Source: Mandiant
Mandiant's investigation of threat activity tracked to the group, UNC2452 attributes the group to advanced persistent threat (APT) group, APT29. UNC2452 was tracked by Mandiant as the group responsible for the December 2020 SolarWinds compromise. Attribution of this information helps to expand APT29's profile. The threat group targets organizations on a large global scale, in a variety of industries including education, government, and government- adjacent companies, medical, telecommunications, technology, as well as technology companies focusing on identity and access management. A variety of initial access vectors are leveraged by the group, including stolen credentials, phishing emails, password spraying, supply chain and third-party compromising. The threat group is proficient in cloud technology specifically with Microsoft365, "APT29’s advanced knowledge of Microsoft tools and cloud environments allows the group to abuse product features to achieve and maintain access—despite strong authentication requirements– without using specific vulnerabilities or deploying custom malware. This enables them to easily pivot from on-premises networks to cloud resources to create persistent access to targets and sensitive data. Mandiant observed APT29 target and move laterally to the M365 environment starting in 2018." APT29 has also demonstrated various capabilities and understandings to bypass MFA requirements. The threat group operates swiftly often able to achieve domain administrator privileges within 12 hours of compromise, as demonstrated with SolarWinds, and swift ability to change and adjust tactics upon discovery.