It’s known that the hackers behind the SolarWinds supply chain attack were highly-skilled and patient. But now Microsoft’s security researchers have outlined some of the operational security (OpSec) techniques and anti-forensic tricks the hackers displayed, which allowed them to remain undetected for long enough — not just on government agency networks, but in the networks of the US’ top cybersecurity firms.
Microsoft and FireEye only detected the Sunburst or Solorigate malware in December, but Crowdstrike reported this month that another related piece of malware, Sunspot, was deployed in September 2019, at the time hackers breached SolarWinds’ internal network. Other related malware includes Teardrop aka Raindrop.
Sunburst, a component of software called a dynamic link library (DLL), was injected into SolarWinds’s Orion infrastructure monitoring software to create a backdoor on networks that used Orion. Several of its payloads included custom loaders for the Cobalt Strike penetration testing kit. These loaders included Teardrop.
“One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader,” Microsoft security researchers said in a new blogpost.
“Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection.”
Based on SolarWinds’ recent disclosure that the attackers removed the Sunburst backdoor from SolarWinds’ software build environment in June 2020 after being distributed broadly to Orion customers in March 2020, Microsoft reckons the attackers – most likely Russian-backed – started “real hands-on-keyboard activity” as early as May.
Microsoft researchers also estimate that the attackers “spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure.”
While the initial backdoor could have been on over 18,000 government agency and private sector networks, it was the”hands-on-keyboard” activity that led to the breach of valued targets, at which point the focus turned to lateral movement on the intended compromised networks.
Microsoft said it found the attackers put in “painstaking planning of every detail to avoid discovery”.
The attackers also tried to separate the Cobalt Strike loader’s execution from the SolarWinds process “as much as possible” in order to protect the Cobalt Strike implant.
“Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed,” Microsoft explains.
Some of the OpSec methods used by the attackers included methodically avoiding shared indicators of compromise for each compromised host, and exercising an “extreme level of variance” to avoid setting off alarms.
“Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched,” Microsoft explains
The attackers also renamed tools and binaries and put them in folders that looked like files and programs already present on a machine.
They even prepared special firewall rules to minimize outgoing packers for certain protocols and then removed the rules after finishing reconnaissance.