The investigation into the SolarWinds supply-chain attack continues apace. In this follow-up to our previous blog published in the immediate aftermath of the attack (see here), we cover some of the major discoveries concerning what is quickly becoming one of the costliest cyberattacks in history, both monetarily and in terms of intelligence lost.
The current state of play
In January, the US Director of National Intelligence (ODNI) stated that Russia was “likely” to be responsible for the elaborate and sophisticated supply-chain attack against SolarWinds and several US federal agencies. In a joint statement, the ODNI, FBI, NSA, and CISA stated that they believe the threat actors’ goal was to collect intelligence, rather than cause disruption or destruction. 
CEO of FireEye, Kevin Mandia, told media sources that while over 18,000 SolarWinds’ customers reportedly downloaded the Trojanised Orion update, only around 50 were “genuinely impacted” by the UNC2452 attacks. FireEye detected that they had been compromised after the attackers registered a device to the company’s multi-factor authentication (MFA) system using stolen credentials. 
The Cybersecurity and Infrastructure Security Agency (CISA) has shared multiple advisories for organisations to detect and respond to any successful UNC2452 intrusions. Notably, CISA reports that UNC2452 also employed password guessing, password spraying, and accessed poorly secured administrator credentials, reachable via external remote access services to breach its targets. These TTPs, albeit upgraded, are in-line with other Russian state-affiliated groups such as FancyBear (also known as APT28 or PawnStorm). [3, 4]
Findings from the investigation published by OrangeMatter revealed that the intrusion began in September 2019 and had a “dry run” in October 2019 when suspicious code was added and pushed to SolarWinds customers. This was later followed by the update containing SUNBURST in March 2020 that was downloaded by over 18,000 SolarWinds customers. Modification of the legitimate code was initiated by a custom implant dubbed SUNSPOT that monitored disk space usage before executing and creating files. [5, 6]
Who was affected?
The list of government organisations that are known to have been hit by the SolarWinds supply chain attack includes:
- US Department of the Treasury;
- US National Telecommunications and Information Administration (NTIA);
- US Department of State;
- National Institutes of Health (NIH) (Part of the US Department of Health);
- US Department of Homeland Security (DHS);
- US Department of Energy (DOE);
- US Department of Justice (DOJ);
- US National Nuclear Security Administration (NNSA);
- Administrative Office (AO) of the US Court;
- Several US state governments (specific states are undisclosed).
When UNC2452 targeted the Department of Justice’s Microsoft Office365 email environment it reportedly accessed “around 3%” of its mailboxes. With over 115,000 employees – including members of the FBI, the DEA, and US Marshals Service – this equals approximately 3,450 mailboxes that were breached. 
Over 40 of Microsoft’s customers were reportedly affected by this attack. Their names were not disclosed, but we do know that over 80% of them were US-based and 44% were in the IT sector – followed by the government (18%), think tanks/NGO (18%), government contractors (9%), and others (11%). A UK national security source told the BBC that “numbers in the UK are small and the organisations are not in the public sector”. [8, 9]
Kaspersky’s ICS CERT has shared its analysis of SUNBURST’s list of DNS names generated by the backdoor’s Domain Generation Algorithm. The CERT noted that one-third of the overall percentage of the list was industrial organisations. Truesec also provided a list of possible second-stage victims, which included several industrial organisations, based on responses received from a server used by the threat actor. [10, 11]
Four major cybersecurity firms – Mimecast, Palo Alto Networks, Qualys, and Fidelis – have all now confirmed the breaches were connected to the SolarWinds supply-chain attack and orchestrated by UNC2452. All four reported that they had installed the Trojanised Orion update that contained the SUNBURST backdoor. Details about these intrusions are limited and the organisations are still investigating the attacks. This brings the total number of security vendors targeted in this attack up to eight – the others being FireEye, CrowdStrike, Microsoft, and Malwarebytes, alongside those named above. 
RAINDROP is the fourth malware family disclosed in this attack campaign, alongside TEARDROP, SUNBURST, and SUNSPOT. It was first deployed in May 2020 and works as another post-exploitation tool that is similar to TEARDROP but was used for spreading laterally across the victim’s network. Notably, RAINDROP had a custom packer that encoded the payload and used steganography to bypass detection systems. 
Interestingly, researchers at Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a number of similarities between the SUNBURST backdoor and the Kazuar backdoor, which has been linked to the infamous Russian espionage group known as Turla. This APT group is one of the longest-running Russian adversaries and has been blamed for intrusions as far back as the 1990s, namely Operation Moonlight Maze. The similarities between the two backdoors, however, are distinctive and conspicuous. This, however, does not confirm UNC2452 and Turla are the same entity; it is more likely that both obtained the malware from the same source. There is also a possibility that these subtle links to the Kazuar backdoor could be false flags; we believe that this should not be ruled out. 
Parallel espionage campaigns
Reuters recently revealed that suspected Chinese state-affiliated threat actors targeted vulnerable SolarWinds software to infiltrate US government computers. Investigators reportedly uncovered that the National Finance Center (NFC), a federal payroll agency inside the US Department of Agriculture (USDA), was among those affected. The specific flaw leveraged by these China-backed attackers has not yet been disclosed. The ongoing investigation into this espionage campaign uncovered an additional Orion Platform remote code execution (RCE) vulnerability, tracked as CVE-2020-10148, that reportedly made it possible for threat actors to deploy the SUPERNOVA backdoor. Although it has not been confirmed, this could be the same flaw used by this secondary APT group that targeted the NFC. 
What’s to come?
SolarWinds’ customer base made it a high-value target for apparently more than one state-sponsored adversary. It should not come as a surprise that a suspected Chinese APT group also targeted US government departments, as well as the (probable) Russian state-backed group known as UNC2452. While the Russians penetrated deep into the SolarWinds network and managed to distribute the SUNBURST backdoor through the company’s supply chain, this Chinese group exploited a different bug to infiltrate targeted organisations via SolarWinds’ software. These parallel espionage campaigns highlight the weaknesses in essential software products as a potential single-point-of-failure that can be used to compromise multiple major corporations and governments agencies.
Furthermore, bottlenecks in the supply chain are a security challenge for every level of organisation. This campaign highlighted that not only should an entity be concerned about its direct partners but also its partner’s partners. Multiple Office 365 resellers were struck in this campaign and their clients were also impacted, even though they did not directly download the update containing the SUNBURST backdoor.
This elaborate supply-chain attack further demonstrates how profitable it can be for adversaries to infiltrate multiple organisations via one attack vector. UNC2452 was able to go undetected for over nine months before it made a small operational misstep that enabled FireEye to detect the group’s malicious behaviour. Conclusive attribution has not been made, so the adversary (whether country or specific threat actors) responsible has yet to face sanction for carrying out such a serious espionage attack.
There are still many unknowns to this operation, and more details are revealed every day. Further breach disclosures are expected as many organisations are still hunting for signs of compromise. This issue will run for some time yet; the SolarWinds will continue to blow.