Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Details OPSEC, Anti-Forensic Techniques Used by SolarWinds Hackers

Microsoft on Wednesday released another report detailing the activities and the methods of the threat actor behind the attack on IT management solutions firm SolarWinds, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).

Microsoft on Wednesday released another report detailing the activities and the methods of the threat actor behind the attack on IT management solutions firm SolarWinds, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).

The attackers, which some believe to be sponsored by Russia, breached SolarWinds’ systems in 2019 and used a piece of malware named Sundrop to insert a backdoor tracked as Sunburst into the company’s Orion product. Sunburst was delivered to thousands of organizations, but a few hundred victims that presented an interest to the attackers received several other pieces of malware and many of their systems were compromised using hands-on-keyboard techniques.

In the case of these victims, the hackers used loaders named Teardrop and Raindrop to deliver Cobalt Strike payloads.

In its latest report on the SolarWinds attack, which it tracks as Solorigate, Microsoft explains how the attackers got from the Sunburst malware to the Cobalt Strike loaders, and how they kept the components separated as much as possible to avoid being detected.

“What we found from our hunting exercise across Microsoft 365 Defender data further confirms the high level of skill of the attackers and the painstaking planning of every detail to avoid discovery,” Microsoft said.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

The tech giant has highlighted some of the more interesting OPSEC and anti-forensic methods used by the hackers. One technique involved ensuring that each compromised machine had unique indicators, such as different Cobalt Strike DLL implants, folder and file names, C&C domains and IPs, HTTP requests, file metadata, and launched processes.

“Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims,” Microsoft noted.

Advertisement. Scroll to continue reading.

The attackers also renamed their tools and placed them into folders to make them look as legitimate as possible. Other actions and activities listed by Microsoft include the following:

  • Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.
  • In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
  • Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.
  • We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.

While many of the tactics, techniques, and procedures (TTPs) leveraged by the attackers are already documented in the MITRE ATT&CK framework, Microsoft says it’s working with MITRE to ensure that the new techniques observed in these attacks will also be added to the framework.

Cybersecurity companies and researchers continue to analyze the activities of the SolarWinds hackers. FireEye this week released a white paper detailing the TTPs used by the SolarWinds hackers to target Microsoft 365 environments.

Cybersecurity firm Malwarebytes this week revealed that it too was targeted by the SolarWinds hackers — not through SolarWinds software, but by abusing applications with privileged access to Microsoft 365 and Azure environments.

Related: SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale

Related: Class Action Lawsuit Filed Against SolarWinds Over Hack

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...