Investigation of the Solar Winds Incident… catches the tail of an attacking group called Silverfish

Proactive Protection Against Future Threats (PRODAFT), a Swiss cybersecurity firm, has gained access to the server of an attacking party suspected of being behind the SolarWinds outage. It’s been announced.

The attackers were running the SolarWinds attack campaign during the month, according to PRODAFT’s report. He went on to say that the operation seems to have begun in August of last year, when the attackers infiltrated the attackers’ servers and began analyzing network systems and equipment. To put it another way, it’s been an eight-month-long effort.

According to Prodaft, attackers targeted approximately 4700 companies and government agencies in the United States and Europe during this time span. There are 2465 US organizations and 1466 European organizations, and Prodaft claims to be the first APT organization to use the SolarWinds vulnerability to target European organizations.

SilverFish was the attacking party, according to Prodaft experts, who detailed how they carried out this massive attack and stole information in a 51-page article. This study ( TLPWHITE.pdf) is available for download or printing.

According to the paper, the silverfish used a variety of strategies and techniques to assault their victims. SolarWinds, an IT solution provider, is, of course, included. They appear to be groups that primarily assist the state in conducting intelligence gathering and reconnaissance attacks, such as the Solar Winds Incident, and when combined with other data, they do not appear to be money-driven groups.

Silverfish, according to Prodaft, is a highly hierarchical organization divided into sub-teams 301, 302, 303, and 304. The specific position of each team, however, is still unknown. However, it appears that some of them were devoted to government agencies and Fortune 500 businesses.

This server scan also turned up comments and comments left by silverfish attackers. The attackers’ main language was English, but it was also discovered at this period that Russian slang and indigenous languages were frequently used. The C&C servers tend to be mostly located in Russia and Ukraine, with some being found to be shared with Evil Corp, another Russian cyber-attack party.

Prodaft is said to have contacted and reported the Swiss law enforcement agency and police, who have launched an investigation. According to news in the international press, the FBI obtained the same information and conducted an investigation.