📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - auf Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account and confirming your email.

Holiday Bear

From EverybodyWiki Bios & Wiki



Holiday Bear (also known by Microsoft as NOBELIUM)[1] is a Russian cyber espionage group.

The name "Holiday Bear" comes from a coding system security researcher Dmitri Alperovitch uses to identify hackers. It was first coined and attributed by Dmitri Alperovitch and David B. Cross where it was first named[2] on the Risky Business podcast #611[3] on January 20, 2021 and subsequently shared on the Cyberwire daily podcast. It was specifically named due to the differences from the previously known Cozy Bear and the timeline of activities during the 2020 holiday period. The earliest detected breaches were in the SolarWinds Office 365 email system and may have existed in excess of 9 months.

In April 2021, the Columbia School of International and Public Affairs held a panel and examination[4] of the SolarWinds/Holiday Bear attack and how it shifted the debate and expectations of Cyber espionage. Brett Winterford shared in the Risky.Biz newsletter[5] that mandatory threat intel sharing will not solve the threats that the Holiday Bear poses to businesses based on their sophisticated techniques as demonstrated in Microsoft blog on the backdoors created by the group.

Attacks

In January 2021, the United States government acknowledged[6] that a large number of U.S. government agencies and business had been attack by an adversary of Russian origin that was subsequently named Holiday Bear. The first known attack was tied to the SolarWinds supply chain attacks known as SUNBURST and subsequently SUPERNOVA. A number of security businesses were targeted in the supply chain attacks as well. One of the cited examples during the attacker campaign was the compromise of a Mimecast issued certificate[7] which was subsequently used to compromise a number of business email systems. The Holiday Bear methods instigated the tactic of using the supply chain method[8] with Solar Winds to perform a long running stealth operation.

Microsoft President Brad Smith claimed during CBS 60-Minutes interview[9] and also his testimony [10]during US Senate Armed Forces committee hearings[11] that 1,000 attackers had been estimated in this campaign. Based on the hearings[12], at least 100 public companies and 9 federal agencies had been attacked, but the total number of victims of the attacks has not been publicly disclosed or publicized.

In May 2021, Microsoft observed[13] the unit targeting government agencies, think tanks, consultants, and non-governmental organizations.

On June 25, Microsoft also announced[14] the group continued activities against Microsoft accounts using password spraying and brute force attacks.

Government testimony

Dmitri Alperovitch and others recommended changes in the US cyber strategy and response[15] based on both the Holiday Bear attacks during testimony to the Congressional Homeland Cybersecurity committee[16] and the subsequent Microsoft Exchange attacks by Chinese attackers named HAFNIUM.

Formal attribution

In April 2021, the United States White House formally attributed[19] the SolarWinds attacks as a broad cyber espionage campaign. Bobby Chesney wrote an excerpt[20] as well as an eCasebook[21] in August 2021 that although the attribution was directly tied to the SVR, the Holiday Bear attribution is an example of a specialized or smaller group within a larger organization.

The Risky Biz publication published a snippet about the Holiday Bear campaign in the September 9th newsletter[22] indicating that Brad Smith may be publishing a book about the campaign based on an article[23] shared in the Fast Company magazine.

Future policy

The activities from both Holiday Bear and Hafnium resulted in an essay published in Lawfare[15] by Dmitri Alperovitch and Ian Ward on how governments should attribute attacks and subsequently respond.

References

  1. "GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM's layered persistence". Microsoft Security. 2021-03-04. Retrieved 2021-03-12.
  2. Dmitri Alperovitch [@dalperovitch]. "Holiday Bear is a way better name to use than "SolarWinds hack" given that many of the targets that we've been learning about lately had nothing to do with SolarWinds Credit to @MrDBCross for the name!" (Tweet). Retrieved 2021-03-12 – via Twitter. Missing or empty |date= (help)
  3. "Risky Business #611 -- MalwareBytes the latest "Holiday Bear" victim". Risky Business. Retrieved 2021-03-12.
  4. "Examining the SolarWinds/Holiday Bear Hack | Columbia SIPA". www.sipa.columbia.edu. Retrieved 2021-09-28.
  5. "Mandatory intel sharing won't cure Holiday Bear woes - Risky Business". risky.biz. Retrieved 2021-09-29.
  6. "US: Hack of federal agencies 'likely Russian in origin'". AP NEWS. 2021-01-05. Retrieved 2021-03-12.
  7. mimecast. "Important Security Update". Mimecast Blog. Archived from the original on 2021-01-27. Retrieved 2021-03-12.
  8. "SolarWinds Attack Illustrates Evolving Russian Cyber Tactics". www.bankinfosecurity.com. Retrieved 2021-03-26.
  9. "SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments". CBS News. Retrieved 2021-03-13.
  10. 10.0 10.1 "A digital strategy to defend the nation". Microsoft On the Issues. 2021-02-23. Retrieved 2021-03-13.
  11. "Hearings". Senate Intelligence Committee. Retrieved 2021-03-13.
  12. Volz, Dustin (2021-02-24). "More SolarWinds Hack Victims Yet to Be Publicly Identified, Tech Executives Say". Wall Street Journal. ISSN 0099-9660. Retrieved 2021-03-13.
  13. "Another Nobelium Cyberattack". Microsoft On the Issues. 2021-05-28. Retrieved 2021-05-28.
  14. "Microsoft says SolarWinds hacking group has breached three new victims". The Record by Recorded Future. 2021-06-26. Retrieved 2021-06-28.
  15. 15.0 15.1 "How Should the U.S. Respond to the SolarWinds and Microsoft Exchange Hacks?". Lawfare. 2021-03-12. Retrieved 2021-03-17.
  16. "Hearing: Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience". YouTube. Retrieved 2021-03-13.
  17. https://homeland.house.gov/imo/media/doc/Testimony-Mandia.pdf. "Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the U.S. House Committee on Oversight and Reform and House Committee on Homeland Security" (PDF). Unknown parameter |url-status= ignored (help)
  18. "Testimony on Cybersecurity and Supply Chain Threats" (PDF). Unknown parameter |url-status= ignored (help)
  19. "White House formally blames Russian intelligence service SVR for SolarWinds hack". The Record by Recorded Future. 2021-04-15. Retrieved 2021-04-15.
  20. "SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom". Lawfare. 2021-08-25. Retrieved 2021-08-27.
  21. Chesney, Robert (2021-08-23). "Cybersecurity Law, Policy, and Institutions (version 3.1)". Rochester, NY.
  22. Uren, Tom. "Srsly Risky Biz: Thursday, September 9". srslyriskybiz.substack.com. Retrieved 2021-09-09.
  23. Browne, Brad Smith and Carol Ann (2021-09-07). "What it was like inside Microsoft during the worst cyberattack in history". Fast Company. Retrieved 2021-09-09.


This article "Holiday Bear" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Holiday Bear. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.


Retrieved from "https://en.everybodywiki.com/index.php?title=Holiday_Bear&oldid=5398575"
License CC BY-SA 3.0
Powered by MediaWiki