SolarWinds hack analysis reveals 56% boost in command server footprint

Researchers say newly identified targets are likely.
Written by Charlie Osborne, Contributing Writer

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. 

The catastrophic SolarWinds security incident involved the compromise of the vendor's network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. 

Sunspot, designed to monitor the SolarWinds build server for Orion assembly, was also found in January by CrowdStrike and is thought to be one of the preliminary tools used to pull off the attack.

In total, an estimated 18,000 companies received the malicious update, with a smaller number of high-profile targets -- including Microsoft, FireEye, and a number of federal government agencies -- being selected for compromise over 2020.

The White House, together with the UK government, has blamed the intrusion on state-backed Russian cybercriminals, APT29/Cozy Bear (campaign tracked as UNC2452). 

On Thursday, RiskIQ researchers published a report on the network infrastructure footprint of SolarWinds-linked cyberattackers, labeling it as "significantly larger than previously identified."

According to the cybersecurity company, the Sunburst/Solorigate backdoor was designed to "identify, avoid, or disable different security products," with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. 

"For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them," RiskIQ says. 

The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages. 

Now, RiskIQ's Team Atlas has identified an additional 18 servers linked to the SolarWinds espionage campaign, a number the firm says represents a "56% increase in the size of the adversary's known command-and-control footprint."

The new C2s were discovered by mapping the second stage of deployment; in particular, modified beacons associated with Cobalt Strike. While this pattern itself is not uncommon, the team correlated this online data -- containing over 3,000 results -- with SSL certificates recorded as in use by the SolarWinds hackers. 

"[This] became highly unique when correlated with the SSL patterns," RiskIQ says. "The result was the identification of a significant number of additional malicious servers."

RiskIQ added that the findings will "likely lead to newly identified targets." US-CERT was made aware of RiskIQ's findings prior to public disclosure. 

Last month, Swiss cybersecurity firm Prodaft published a report on SilverFish, a sophisticated threat group thought to be responsible for intrusions at over 4,700 organizations including Fortune 500 companies. 

SilverFish was connected to SolarWinds attacks as "one of many" APTs jumping on the incident. The group's digital infrastructure has also revealed potential links to campaigns involving TrickBot and WastedLocker.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards