7 Things We Know So Far About the SolarWinds Attacks
Two months after the news first broke, many questions remain about the sophisticated cyber-espionage campaign.
February 11, 2021
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbdebbed703aa5cda/64f0d301a720e820edbc3685/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Nearly two months after news surfaced about software updates from SolarWinds being used to distribute a backdoor Trojan called Sunburst/Solorigate to some 18,000 organizations worldwide, troubling questions remain about the scope and impact of the breach.
The campaign, which the US government and others have described as a highly sophisticated espionage operation by a Russia-backed group, has raised broad fears of sensitive data being stolen from several US government agencies and large companies.
In addition, there are considerable fears that the attackers may have gained deep, persistent, and almost undetectable access on networks belonging to numerous organizations in sectors including manufacturing, industrial, construction, and logistics. Some believe it will take months for victims to ensure they have truly eradicated the threat from their networks.
The incident has resurfaced old concerns over supply chain vulnerabilities and some new ones over the ability of even the best security tools and controls to detect highly targeted attacks. The fact that some of the campaign's victims include top technology firms such as Microsoft and security vendors like FireEye has not helped.
On Tuesday, concerns over the breach prompted members of the US Senate Intelligence Committee to send a letter to leaders of the intelligence community asking for a more coordinated response at the federal level. The letter, signed by Sens. Mark Werner (D-Va.) and Marco Rubio (R-Fla.), expressed concern over the "disjointed and disorganized" US response to the incident so far and called for the appointment of a "clear leader" to head the effort going forward.
"The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery," the two lawmakers wrote, noting the fact that numerous federal agencies and thousands of private-sector entities had been impacted.
Here is a recap of what is known — and unknown — about the campaign to date.
The SolarWinds compromise involved attackers gaining access to the company's software development environment and inserting malicious code into builds for versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1 of the company's Orion network management platform. (The list of all affected products is here). The tainted builds were digitally signed and automatically pushed out to about 18,000 customers over a period of several months last year. Only a relatively small number of those organizations are believed to have been actually targeted for subsequent attacks.
The manner in which threat actors gained initial access to SolarWinds' build system environment remains unclear. A SolarWinds update on Feb. 3 described the company as still "exploring several potential theories" about how the threat actors broke in. According to SolarWinds, current evidence suggests that the most likely attack vector was through a credential compromise and/or access through a then zero-day vulnerability in a third-party app.
SolarWinds has also confirmed that an email account belonging to one of its employees was compromised and used to "programmatically access" accounts belonging to other targeted individuals. The attackers used the credentials to eventually gain access to SolarWinds' Orion development environment. The company says its data shows the attackers were in its network conducting reconnaissance for an unknown period of time before they began conducting trial runs of injecting malware into SolarWinds' build system in October 2019.
For the most part, SolarWinds has been at the center of attention since news broke of the company's software updates being used to distribute the Sunburst backdoor to systems worldwide. The reality, however, is that the company's software was only one of the attack vectors that the adversaries used to deliver their payload.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and others have warned of multiple other initial infection vectors being used in the campaign. These include password-guessing and password-spraying attacks to get access on targeted systems and acquiring improperly secured admin credentials via externally exposed remote access services.
Malwarebytes is one example. In January the security vendor disclosed that the same APT group behind the SolarWinds attack had gained access to a limited number of its internal company emails. However, in this case the compromise did not result from a poisoned SolarWinds Orion update. Rather, the attackers exploited "a dormant email protection product" with privileged access within the company's Office 365 environment to gain access to the emails.
The attackers have also been observed using multifactor authentication bypass techniques to access cloud-hosted apps. According to CISA, it is likely the threat group has also used other vectors that have not been discovered yet.
The threat actors behind the SolarWinds campaign used a variety of malware tools as part of the attack chain. Here are the main ones:
Sunspot: Malware used by the adversaries to insert the Sunburst/Solorigate backdoor into builds of SolarWind's Orion network management product.
Sunburst/Solorigate: The poisoned Dynamic Link Library (DLL) that was distributed to thousands of organizations as part of legitimate updates of SolarWinds' Orion network management software between March and June 2020.
Teardrop: A second-stage, memory-only payload dropped by the Sunburst/Solorigate backdoor on targeted systems. The attackers used Teardrop to deploy the Cobalt Strike attack kit in environments of interest to them.
Raindrop: A dropper associated with the SolarWinds attack chain that Symantec detected. The malware, like Teardrop, was used to deploy Cobalt Strike in selected environments. However, unlike Teardrop, it was not deployed through the Sunburst backdoor. According to Symantec, the malware was observed on networks where at least one computer was already previously compromised by Sunburst.
Security researchers discovered another very sophisticated backdoor called "Supernova" in SolarWinds' Orion platform while investigating the recently disclosed breach. The backdoor, in the form of a malicious DLL file, gave attackers a way to carry out a wide range of malicious activities but was designed to stay completely hidden until it is activated. Researchers believe the Supernova web shell was deployed by someone other than the group behind the new SolarWinds compromise. Multiple vendors have referred to the malware as being the work of a highly skilled advanced persistent threat (APT) group.
The actual number of organizations that were specifically targeted for attack remains unknown. SolarWinds itself has said some 18,000 organizations worldwide received the tainted Orion platform updates. But security vendors and others that have analyzed the attack have said the actual number of organizations that the adversaries were interested in for subsequent attack and exploitation is far less. Microsoft, for instance, said it found evidence that only about 40 of its customers that had downloaded the poisoned Orion updates were compromised through additional and more sophisticated measures.
According to lists compiled by TruSec, Prevasio, Netresec, and others, organizations that may have downloaded the poisoned SolarWinds Orion updates include Cisco, Deloitte, Intel, Nvidia, Belkin, Hasbro, Qualys, Microsoft, FireEye, Malwarebytes, Palo Alto Networks, and Cox Communications. In addition, several government agencies were impacted, including the departments of Commerce, Energy, Defense, Justice, and Homeland Security. According to the FBI, CISA, and others, fewer than 10 agencies have experienced follow-up threat activity after the initial backdoor was deployed.
FireEye disclosed that the attack resulted in its red team tools being stolen. It's unclear how many others who downloaded the Orion updates experienced similar data theft and other consequences.
An analysis by Kaspersky of some 2,000 domains impacted by the Sunburst backdoor found that industrial organizations accounted for 32.4% of the victims, followed by manufacturing (18.11%), utilities (3.24%), construction (3.03%), and transportation and logistics (2.97%).
Some US officials, security researchers, and agencies like the FBI, CISA, and the Office of the Director of National Intelligence (ODNI) have described the threat actor as likely being Russian in origin. Some have even gone so far as to attribute the attack to Cozy Bear (APT29), an APT group that for some time has been associated with Russia's military intelligence apparatus.
However, FireEye, Microsoft, and several other organizations that have analyzed the attacks say that so far they have not been able to attribute it to any specific previously known group or country. FireEye is publicly, at least, tracking the threat actor as an unknown player it is calling "UNC2452." CrowdStrike is tracking the intrusion under what it calls the "StellarParticle" activity cluster.
Volexity, meanwhile, has noted that the tactics, techniques, and procedures the attackers employed in the SolarWinds campaign are similar to those employed by a group called "Dark Halo," which the security vendor has been tracking for some time.
But one point everyone has agreed on, based on the sheer audacity of the campaign and the considerable opsec with which it was carried out, is that the threat actor is almost certainly sponsored or backed by a nation-state.
One of the hallmarks of the SolarWinds campaign was the considerable lengths that the attackers went to maintain operational security -- right from the initial break-in at SolarWinds, to command-and-control communications, second-stage payload deployment, and data extraction. Among the many tactics companies like Microsoft, Symantec, CrowdStrike, and SolarWinds have identified are:
Multiple safeguards in the initial Sunspot malware to prevent SolarWinds Orion builds from failing and thus tipping off defenders of malicious activity. One example was a function for discreetly stopping the malware from running under certain circumstances rather than killing the processes entirely.
An automated two-week period of dormancy after the backdoor was initially deployed on a host system.
Functions in Sunburst code for disabling security software and to avoid running -- and thus risking detection -- on systems not of interest to the attacker. The malware was designed to avoid running on systems with security products from specific vendors, including CrowdStrike, CyberArk, Panda, Kaspersky, Dell Secureworks, and Cybereason.
Code in Sunburst/Solorigate for completely separating SolarWinds' processes from the second-stage Cobalt Strike loader's execution to ensure that the poisoned SolarWinds binary would remain undetected even if the Cobalt Strike kit was detected.
Code for checking systems for specific running processes, driver file names, and processes and service name pairs and for discontinuing further malicious activity if a match is found. Disabling or modifying audit logs and time stamps.
Hiding stolen data in DNS traffic and making malicious activity look like legitimate Orion platform communications protocols.
Monitoring disk space and disk activities before executing or creating files.
Using spoofed file names and activities to mimic legitimate apps and files. Using different file names, custom second-stage payloads, and other tactics across victims to make indicator-based detection harder for organizations.
Using IP addresses within the same country for command-and-control communication.
The Sunburst campaign marked the first known instance where adversaries used a technique dubbed "Golden SAML" to gain and maintain highly persistent access to all of an organization's Active Directory Federated Services (ADFS) environment.
The tactic, first described by CyberArk in 2017, basically involves attackers gaining privileged access to an organization's ADFS server and using it to forge identities across the enterprise. The security vendor has described the technique as allowing attackers to access any application and service that uses SAML 2.0 for single sign-on (SSO). By using the technique, the attackers were completely able to bypass whatever multifactor authentication controls the victim organization might have implemented and access any app in the context of any user across the organization.
"The implication of stealing the Token Signing Cert (TSC) is that once the certificate has been acquired, the actor can forge SAML tokens with whatever claims and lifetime they choose, then sign it with the certificate that has been acquired," Microsoft warned.
Detecting and hunting Golden SAML can be complex and complicated, according to security vendors. Here, Sygnia has described four methods available for organizations to detect such hacks and make it harder for attackers to pull them off.
The Sunburst campaign marked the first known instance where adversaries used a technique dubbed "Golden SAML" to gain and maintain highly persistent access to all of an organization's Active Directory Federated Services (ADFS) environment.
The tactic, first described by CyberArk in 2017, basically involves attackers gaining privileged access to an organization's ADFS server and using it to forge identities across the enterprise. The security vendor has described the technique as allowing attackers to access any application and service that uses SAML 2.0 for single sign-on (SSO). By using the technique, the attackers were completely able to bypass whatever multifactor authentication controls the victim organization might have implemented and access any app in the context of any user across the organization.
"The implication of stealing the Token Signing Cert (TSC) is that once the certificate has been acquired, the actor can forge SAML tokens with whatever claims and lifetime they choose, then sign it with the certificate that has been acquired," Microsoft warned.
Detecting and hunting Golden SAML can be complex and complicated, according to security vendors. Here, Sygnia has described four methods available for organizations to detect such hacks and make it harder for attackers to pull them off.
Nearly two months after news surfaced about software updates from SolarWinds being used to distribute a backdoor Trojan called Sunburst/Solorigate to some 18,000 organizations worldwide, troubling questions remain about the scope and impact of the breach.
The campaign, which the US government and others have described as a highly sophisticated espionage operation by a Russia-backed group, has raised broad fears of sensitive data being stolen from several US government agencies and large companies.
In addition, there are considerable fears that the attackers may have gained deep, persistent, and almost undetectable access on networks belonging to numerous organizations in sectors including manufacturing, industrial, construction, and logistics. Some believe it will take months for victims to ensure they have truly eradicated the threat from their networks.
The incident has resurfaced old concerns over supply chain vulnerabilities and some new ones over the ability of even the best security tools and controls to detect highly targeted attacks. The fact that some of the campaign's victims include top technology firms such as Microsoft and security vendors like FireEye has not helped.
On Tuesday, concerns over the breach prompted members of the US Senate Intelligence Committee to send a letter to leaders of the intelligence community asking for a more coordinated response at the federal level. The letter, signed by Sens. Mark Werner (D-Va.) and Marco Rubio (R-Fla.), expressed concern over the "disjointed and disorganized" US response to the incident so far and called for the appointment of a "clear leader" to head the effort going forward.
"The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery," the two lawmakers wrote, noting the fact that numerous federal agencies and thousands of private-sector entities had been impacted.
Here is a recap of what is known — and unknown — about the campaign to date.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024