On the 20th of January, in a recent report from Microsoft, details regarding the SolarWinds supply-chain attack were shared. The report came as a result of their progressing investigation on the subject. It was shared by the security professionals at Microsoft including the Defender Research Team at Microsoft 365, the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Cyber Defense Operations Center (CDOC).
The threat actors orchestrating this supply chain attack were tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), and Dark Halo (Volexity). According to the latest reports, Microsoft has shared details about how the actors who orchestrated the attack concealed their activities using the affected companies’ networks.
The SolarWinds attack timeline
Earlier this month, SolarWinds shared an attack timeline. It starts in February, when the Solorigate DLL backdoor, which was later deployed in compromised networks by the end of March. Once this was successfully done, the threat actors went on to target certain victims of interest for themselves. At the same stage, Cobalt Strike implants were created. It is estimated that the hands-on attacks had already started by early-May.
As per the Microsoft’s report by June, the backdoor-generation function was removed and code from SolarWinds binaries was compromised. This might be interpreted as the fact that by this point, a number of influential targets were already targeted. So, the threat actors’ motives shifted from Stage 1, which was the deployment and activation of the backdoor to Stage 2, viz. Becoming operational for certain victim networks and deploying hands-on-keyboard activity to proceed with the attack using the Cobalt Strike implants.
Invasion techniques employed by the hackers
The threat actors responsible for the SolarWinds attack used ingenious methods & operators to ensure that they robbed the victim organizations of the ability to detect their malevolent activities. They even conformed to the operations security or OpSec practices in order to avoid detection.
Here are some of the prominent evasion techniques used by the hackers in order to successfully execute the attack.
- Deploying custom Cobalt Strike DLL implants on every machine to methodically avoid shared indicators.
- Renaming tools & binaries similar to the files on the victim’s device as a method to camouflage on the system.
- Using AUDITPOL to disable event logging before the hands-on keyboard to enable it later.
- Restrict the outgoing packets for selected protocols before running noisy network enumeration by using firewall rules. The firewall is later removed once the operations are completed.
- Strategically planning the lateral movement activities. This is done by disabling the security service on targeted hosts.
Microsoft has released a complete list of unique tactics, techniques and procedures (TTP) used in this attack. These tactics can go a long way in order to prepare for such incidence in the coming future.
Though the threat actors are stilled unknown, efforts are going on to disclose these actors and save the world’s organizations from them further. The latest statement by the CISA, NSA, ODNI and FBI prompts towards the fact that a Russian Advanced Persistent Threat (APT) Group. Though the curtain is yet to rise, we can only hope that companies recover with their loss at the earliest.