Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:20 PM
Connect Directly

What We Know (and Don't Know) So Far About the 'Supernova' SolarWinds Attack

A look at the second elusive attack targeting SolarWinds software that researchers at Secureworks recently cited as the handiwork of Chinese nation-state hackers.

It's mostly been overshadowed by the massive and brazen supply chain breach of the SolarWinds Orion software-build process — the lesser-known Supernova cyberattack also remains a bit of a mystery. Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds' Orion network management software, so far have been scarce.

Related Content:

What You Need to Know -- or Remember -- About Web Shells

Special Report: How Data Breaches Affect the Enterprise

New From The Edge:What You Need to Know -- or Remember -- About Web Shells

Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed "Spiral."

Supernova first came to light during FireEye's investigation into the Orion software-update attack (aka Sunburst, Solorigate) back in December, and at first it was mistakenly believed to be part of the supply chain attack campaign. Microsoft soon thereafter revealed that Supernova indeed was not part of the supply chain attack.

It's likely coincidental that two separate nation-states were targeting the same software, albeit in very different ways, experts say. "I think it's a coincidence" that both the Chinese and Russian advanced persistent threats (APTs) both targeted SolarWinds software in their attacks, notes Mike McLellan, director of intelligence at Secureworks. And the high-profile discovery of the attack from Russia may have "burned" China's parallel operation for now, too, he says.

That could explain the dearth of additional activity reported by researchers on Supernova: The attackers may have halted the Orion attack and sought other ways to quietly target and spy on their victims.

It's not unusual for multiple nation-state attacker groups to target the same victim organization, nor even to reside concurrently and unbeknownst to one another while conducting their intelligence-gathering operations. But Supernova and the Orion supply chain attack demonstrate how nation-states also can have similar ideas yet different methods regarding how they target and ultimately burrow into the networks of their victims.

Supernova homed in on SolarWinds' Orion by exploiting a flaw in the software running on a victim's server; Sunburst did so by inserting malicious code into builds for versions of the Orion network management platform. The digitally signed builds then were automatically sent to some 18,000 federal agencies and businesses last year via a routine software update process, but the attackers ultimately targeted far fewer victims than those who received the malicious software update, with fewer than 10 federal agencies affected as well as some 40 of Microsoft's own customers. US intelligence agencies have attributed that attack to a Russian nation-state group, and many details of the attack remain unknown.

Supernova took a more traditional, yet stealthy, approach to leveraging Orion's lucrative mapping and tracking features of a victim's network. "Supernova was looking for SolarWinds on the [victim's] network and compromising them from there," explains Secureworks' McLellan.

"The Russian activity comes from the SolarWinds network," he says of the supply chain attack using Sunburst. "That's the key difference."

Ben Read, FireEye Mandiant Threat Intelligence's director of analysis, agrees that the two attacks were separate and unrelated — with different victims. "We have no indication one operation knew about the other," he says. The widespread adoption of the Orion software may well have made it a "compelling target" for multiple state intelligence agencies to use in their attacks, he says.

Microsoft recently renamed the supply chain attack and the attackers behind it as Nobelium.

The Targets
Reuters first reported about a China nexus for the Supernova attack in early February, identifying the US Department of Agriculture (USDA)'s National Finance Center (NFC) as a target of the Supernova attackers. But the USDA disputed reporting that that NFC had been breached.

When contacted by Dark Reading about the Supernova attack, USDA reiterated that it had "no evidence" that NFC suffered a data breach, but it was still investigating.

"In compliance with [the Cybersecurity and Infrastructure Security Agency]'s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise. While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center," the agency said in a statement in response to inquiries by Dark Reading.

The agency did not provide any further details, so it remains unclear exactly if or how the agency's Orion implementation was affected.

The Supernova victim that Secureworks investigated was a private-sector organization in the US, according to the security firm. "We're limited in what we can say about the victim," Secureworks' McLellan says. "Information theft was the target: information related to their clients, customers."

SolarWinds, meanwhile, says it knows of one victim of the Supernova attack, according to a company spokesperson. "That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer's network," the spokesperson says, noting that the flaw since has been patched. "Supernova was neither signed nor delivered by SolarWinds, and the issue was addressed in Orion platform updates that were released in December."

SolarWinds did not disclose any additional details about the victim.

How It Works
Supernova contains two malware components: a Web shell, an unsigned Windows .dll file crafted to appear as legitimate code on Orion (app_web_logoimagehandler.ashx.b6031896.dll); and an exploit that abused the previously unknown API authentication bypass flaw (CVE-2020-10148) that was used to run the Web shell.

The now-patched vuln let an attacker run commands without authenticating to the API; the Supernova attackers used it to install the Web shell into the victims' Orion software running on their internal severs.

Secureworks found a link between Supernova and a previous attack on one of its clients, which it detailed in a blog post earlier this month.

The Spiral team exploited the API authentication flaw on Orion to drop the Supernova Web shell onto the victim's internal SolarWinds server such that it could then remotely run its own commands on the server. It then moved laterally to two hosts: a domain controller for harvesting credentials, according to Secureworks, and then a server that provided access to sensitive information about the business. The attackers appeared to know the network layout, given the speed and targeting of the servers; Secureworks incident responders thwarted further infiltration of the network.

"There was malicious activity on the SolarWinds server on this client's network," which Secureworks then found had exploited an API bypass vulnerability, says Marc Burnard, a senior information security researcher with Secureworks.

"They used that vuln to drop the Supernova Web shell onto the SolarWinds server and began interacting with it to run commands on the server."

They then moved laterally to a domain controller to steal credentials and another server that could have given them access to client data, he says.

The victim organization had suffered an attack in early 2020 with some similar characteristics, according to Secureworks: The attackers exploited one of the organization’s public-facing ManageEngine ServiceDesk servers, silently grabbing domain credentials over a period of nearly two years, and then in August 2020, stealing credentials from two of the victims' servers to steal files from their Office 365 SharePoint and OneDrive cloud applications.

Secureworks matched the two attacks to the same threat actor because of the similar techniques involved: The attackers used the same commands and output file paths in the Microsoft Windows Local Security Authority Subsystem Service (LSASS), the same directory name, and a domain controller and a server to reach valuable business information. And three compromised admin accounts were used in both attacks.

Wes Riley, incident response operations and technical lead at ‎GuidePoint Security, recently analyzed the Supernova Web shell. Riley says that although the Supernova code was not especially sophisticated, it was "elegant." The Web shell is memory-resident, and the attackers used an existing API to set up their access to gathering intel.

The Supernova Web shell poses as a SolarWinds Web service, displaying the Orion logo image. "The purpose of the file is just to grab an image ... to pull the logo for SolarWinds [Orion] and present it," he explains. "Other Web pages on that Web UI will call that file and grab the image." Placing the malicious code there was elegant and stealthy, he says.

Riley doesn't consider the SolarWinds API vulnerability that the attackers exploited a true zero-day bug. "It's a gray area," he says. The attackers basically abused a function of the software and its application programming interface. "They found a location in the software where a forward-facing page will call a function," he says.

Secureworks researchers say aside from similar characteristics of Supernova with other nation-state actors out of China, they were able to tie the two attacks on their customer to China via a small but significant misstep the attackers made: exposing an IP address. "A Secureworks endpoint detection and response (EDR) agent checked in from a host that did not belong to the compromised organization and used an IP address geolocated to China," according to Secureworks' findings.

GuidePoint's Riley says Supernova's use of a Web shell rings of a Chinese nation-state operation. He says it reminds him of the way the so-called Shellcrew (aka Deep Panda) APT group operates, but he didn't have firsthand knowledge of the attackers nor was he focused on attribution in his analysis.

"The only similarities I saw with other attack groups I've seen or dealt with is more from the approach," Riley notes. Shellcrew, for instance, "is really adept at" planting malicious code along the callpath of large Web applications, he says.

Charity Wright, a cyber-threat intelligence analyst at RecordedFuture who specializes in China, says she and her team were suspicious when China basically "sat out" of election-meddling operations against during the 2020 US presidential campaign; the researchers figured Chinese nation-state hacking teams "were preparing something big." It turns out they were, she says, pointing to the recently revealed widespread Microsoft Exchange Server zero-day attacks as well as Supernova, although Wright says RecordedFuture could not directly confirm Supernova came from China.

Secureworks so far is the only team to publicly name China in the attacks. "While we can't independently verify the activity witnessed by Secureworks in their engagements, this would not be the first time an attacker missteps and inadvertently tips their hand," says J.A. Guerrero-Saade, principal threat researcher at SentinelOne, of the discovery by Secureworks. "Regardless, attribution based entirely on cyber indicators is notoriously fungible and should be handled with caution."

A Spiral Comeback?
Nation-states are known to leave monitoring tools in place for re-entry, Secureworks' McLellan says, or to regroup and return with a different exploit if they get discovered. "We imagine this group may reappear. They've been around since 2018; we expect them to come back with some other way of gaining access."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
4/7/2021 | 7:53:58 PM
The Enemy of My Enemy is My Friend
I believe the attacks could very well have been initiated by both Russia and China at the same time. And I also believe the primary target for Solar Winds was The US Treasury. I think the rest was collateral damage possibly with the exception of FireEye.

Russia has decided that they cannot compete with the United States on their own so they look to China as an ally. China does not see Russia as a threat so why not work with Russia to attack America any way they can?

Russia and China have figured out that they can do more damage to the United States economy with fewer repercussions through cyberwarfare then they can by firing missiles or dropping bombs. Just look at the recent incident where a ship got stuck in the Suez Canal. It backed up hundreds of ships costing Billions of dollars a day in maritime commerce. I have no evidence that this was caused by a cyber event but think how much easier it is to hack a container ships navigation system then to hack the Pentagon for instance. But the damage done and the cost associated will impact the United States to some degree. 

China is playing the long game and Xi Jinping has to consider what implications its actions may have as far as their relationship with the rest of the world. Putin just wants to go back to the good old days where the Soviet Union was truly a world power. People forget that Russia's economy is about the same size as France. The only reason they have leverage is due to the number of nuclear weapons they possess.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file