It’s been a mystery as to who is responsible for the disastrous pummeling of Accellion, the global cloud provider that, in December, suffered through a large cyberattack. This week, researchers announced that the responsible party may have ties to two prominent hacker groups.
Accellion recently discovered that a threat actor had been exploiting zero-day vulnerabilities in its legacy file-transfer service application (called “FTA” for short)—a file-sharing and storage product used by approximately 300 clients. Despite subsequent patches, there has been a steady stream of FTA-related data breaches involving banks, universities, large companies, government agencies, and more.
On Monday, Accellion announced that it has been working with cyber firm FireEye since the incident, and that researchers have identified a group, dubbed “UNC2546,” as the “criminal hacker behind the cyberattacks and data theft.”
Those who know about the world of cybersecurity know that attribution—the act of finding out who was responsible for a particular cyberattack—is a very complicated process. In reality, FireEye hasn’t quite put all the puzzle pieces together yet, so let’s step back and look at what the researchers have found.
First, what’s a UNC? The security firm has a certain method for classifying threat activity: a “UNC” (which stands for “uncategorized group”) is basically activity that hasn’t yet been classified as an APT (“advanced persistent threat”), the term used to describe well-documented threat actors that have more extensive histories. FireEye has identified two clusters of threat activity involved in the Accellion attacks: “UNC2546” and “UNC2582.” The first cluster represents activity involving compromise operations (i.e., actual hacking), while the latter was responsible for post-compromise extortion attempts, according to the researchers.
To make matters more complicated, “UNC2546" would appear to have ties to at least two other known threat actors—the most obvious of which is the ransomware gang CL0P. Indeed, almost all of the Accellion clients that have been compromised in the FTA attacks have had their data posted on the ransomware gang’s dark web “leak site.” Yet FireEye says “UNC2546” may also have ties to FIN11—a prolific, “financially motivated” hacker group that is closely associated with CL0P. In recent months, FIN11 has taken to using CL0P’s malware in its attacks. All these groups may work together or, in some cases, be the same group.
If you’re totally confused by all this, that’s fine. Brett Callow, threat analyst with Emsisoft, explains that hacker supply chains can be complex and purposefully oblique: groups work together, contract out specific tasks, and always take steps to hide what they’re doing. It can make figuring out who is to blame a Herculean, sometimes impossible, task. In an email, Callow explained how convoluted this can all get:
“Ransomware groups are amorphous. The core dev [development] team may be involved in other ransomware operations and the affiliates certainly will be. A member of REvil, for example, claimed that Egregor ransomware and Maze were both created by Evil Corp [a large cybercrime network]. And Evil Corp is responsible for WastedLocker and BitPaymer, and there may also be links to DoppelPaymer. And all those groups have affiliates and specialists who likely also work for other groups. And all use smoke and mirrors, so working out who did what and who’s working with who is far from easy.”
What we do know is that there are some digital signatures that link the Accellion threat activity to FIN11. For instance, FTA-related extortion emails had IP and email addresses that matched ones previously used by FIN11 in phishing campaigns, FireEye researchers have said. However, so far there hasn’t been enough evidence to say that FIN11 is the group behind the Accellion attacks. Much of the relationship between all of these various groups and activities is still unclear, researchers said:
The overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks.
FireEye researchers have been able to reveal more about how the actual attacks occurred. Digital forensics have shown that the initial intrusion mechanism used by UNC2546 in its FTA attacks was an SQL injection—a common cyberattack that injects foreign code into an application via a vulnerability. The actor then leveraged a webshell (a malicious script), which researchers have dubbed “DEWMODE,” to steal data from the FTA. DEWMODE lifted and downloaded bulk data and metadata straight from the application’s MySQL database.
After the data had been stolen via DEWMODE, “UNC2582" would kick into gear with a barrage of extortion emails. These messages were typical of the “ransom” note milieu: They would notify victims about what was going on and demand payment in exchange for the data. See below:
Of course, if the affected organization did not pay up, the hackers would typically get a little nastier. They would send a final warning to the compromised party, notifying them that if they failed to deliver on the ransom, the data would go online via CL0P’s dark web leak site for the whole world (read: other criminals) to see. In most cases, the data has ended up on on the site:
As previously noted, attribution is an infamously tricky part of threat research—so it’s no surprise that researchers aren’t 100% sure of who is behind all this. Whoever is involved, they have definitely caused a lot of mayhem.
Accellion said Monday that, of the organizations that used FTA, “fewer than 100 were victims of the attack” and “fewer than 25 appear to have suffered significant data theft.” While this means the scope of the attack is limited to a few dozen organizations, the amount of data actually stolen seems quite large. Case in point, the most recent victim to announce a breach is Kroger, the largest supermarket chain in the U.S., which said Friday that some data had been compromised. That data may have included “Social Security numbers of some of its pharmacy and clinic customers,” the chain told the Associated Press.