Lindsey O’Donnell-Welch reports:
A series of campaigns, with links to the threat actor behind the SolarWinds supply-chain intrusion, have been targeting cloud service providers with a new malware loader variant called CeeLoader.
Researchers with Mandiant in a Monday analysis said they identified two distinct clusters of activity, UNC3004 and UNC2652, which they associate with UNC2452 (also known as Nobelium or APT29), the group behind the SolarWinds supply-chain hack. However, while researchers said it was “plausible” that these are the same group, they said they don’t have enough evidence to make this determination with high confidence. The activity clusters utilized a variety of tactics and tools, including CeeLoader, in attacks that aimed to steal data “relevant to Russian interests” from businesses and government entities globally.
Read more at Decipher.