December 9, 2023

The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure.

A new research shows that the threat actor carefully planned each stage of the operation to “avoid creating the type of patterns that make tracking them simple,” thus deliberately making forensic analysis difficult.

On analyzing telemetry data associated with previously published IOC’s,an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jump in the attacker’s known C2C footprint.

The “hidden patterns” were uncovered through an analysis of the SSL certificates used by the group.

The attacks are being tracked by the cybersecurity community under various monikers, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), and Dark Halo (Volexity), citing differences in the tactics, techniques, and procedures (TTP) employed by the adversary with that of known attacker profiles, counting APT29.

The Windows maker noted how the attackers went to great lengths to ensure that the initial backdoor (SUNBURST aka Solorigate) and the post-compromise implants (TEARDROP and RAINDROP) stayed separated as much as possible so as to hinder efforts to spot their malicious activity. This was done so that in the event the Cobalt Strike implants were discovered on victim networks; it wouldn’t reveal the compromised SolarWinds binary and the supply chain attack that led to its deployment in the first place.

Hosting the first-stage attack infrastructure (SUNBURST) entirely in the U.S., the second-stage (TEARDROP and RAINDROP) primarily within the U.S., and the third-stage (GOLDMAX aka SUNSHUTTLE) mainly in foreign countries.

“Identifying a threat actor’s attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns,” Researches concluded.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.