SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests

Existing victim networks are used to test out payloads as a novel form of sandbox.

Cyberattackers involved in worldwide hacking campaigns are using the compromised systems of high-profile victims as playgrounds to test out malicious tool detection rates. 

On Thursday, Swiss cybersecurity firm Prodaft said that SilverFish (.PDF), an "extremely skilled" threat group, has been responsible for intrusions at over 4,720 private and government organizations including "Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers."

Attacks are geared toward US and European entities and there is a specific focus on critical infrastructure and targets with a market value of over $100 million.  

SilverFish been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation, in which malicious SolarWinds Orion updates were pushed to customers, leading to the compromise of thousands of corporate networks. 

In December, following the disclosure of the SolarWinds breach, Prodaft received an analysis request from a client and created a fingerprint based on public Indicators of Compromise (IoCs) released by FireEye. 

After running IPv4 scans, the team found new detections within 12 hours and then began combing the web for command-and-control servers (C2s) used in the operation while refining fingerprint records. Prodaft says that after obtaining entry to the management C2 control panel, the company was able to verify links to existing SolarWinds security incidents and known victims by way of IP, username, command execution, country, and timestamp records. 

Victims verified by the company include a US military contractor, a top COVID-19 testing kit manufacturer, aerospace and automotive giants, multiple police networks, European airport systems, and "dozens" of banking institutions in the US and Europe. 

SilverFish is focused on network reconnaissance and data exfiltration and uses a variety of software and scripts for both initial and post-exploitation activities. These include readily-available tools such as Empire, Cobalt Strike, and Mimikatz, as well as tailored rootkits, PowerShell, BAT, and HTA files. 

Prodaft says that SilverFish attackers tend to follow particular behavioral patterns while enumerating domains, including running commands to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts.  

Scripts are then launched for post-exploit reconnaissance and data theft activities. Hacked, legitimate domains are sometimes used to reroute traffic to the C2. 

However, perhaps the most interesting tactic observed is the use of existing enterprise victims as a sandbox. 

"The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks," the company says. 

The C2 panel also revealed some interesting hints about how SilverFish operates. Panels are set for "Active teams" and appear to account for multiple groups such as Team 301, 302, 303, and 304, with both English and Russian used to write comments on victim records. 

Work hours appear to stay within 8 am - 8 pm UTC, with far less activity taking place on weekends. Attacker teams seem to cycle every day or so between victims and whenever a new target is snared, the server is assigned to a particular working group for examination. 

A 'test run' of the SolarWinds Orion compromise was conducted in 2019, whereas Sunburst malware was deployed to clients between March and June 2020. SilverFish-SolarWinds attacks began at the end of August 2020 and were conducted in three waves that only ended with the seizure and sinkhole of a key domain. 

However, the team expects other spying and data theft-related attacks to continue throughout 2021.

SilverFish infrastructure has also revealed links to multiple IoCs previously attributed to TrickBot, EvilCorp, WastedLocker, and DarkHydrus. Prodaft cautions that "security analysts should not fully-automize their threat intelligence protocols [..] as acting strictly upon IoC intelligence from third-party resources may be one of the main reasons that prevent researchers from realizing the actual scope of large-scale APT attacks."

"SilverFish are still using relevant machines for lateral movement stages of their campaigns," the company added. "Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group's presence on their networks."

As a "very sensitive matter," Prodaft told ZDNet that victims were not contacted directly. However, the firm's findings have been shared "with all responsible CERTs, and different law enforcement agencies; so that they can get in touch with the victims as the authorized body and share their findings."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0