Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Details OPSEC, Anti-Forensic Techniques Used by SolarWinds Hackers

Microsoft on Wednesday released another report detailing the activities and the methods of the threat actor behind the attack on IT management solutions firm SolarWinds, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).

Microsoft on Wednesday released another report detailing the activities and the methods of the threat actor behind the attack on IT management solutions firm SolarWinds, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).

The attackers, which some believe to be sponsored by Russia, breached SolarWinds’ systems in 2019 and used a piece of malware named Sundrop to insert a backdoor tracked as Sunburst into the company’s Orion product. Sunburst was delivered to thousands of organizations, but a few hundred victims that presented an interest to the attackers received several other pieces of malware and many of their systems were compromised using hands-on-keyboard techniques.

In the case of these victims, the hackers used loaders named Teardrop and Raindrop to deliver Cobalt Strike payloads.

In its latest report on the SolarWinds attack, which it tracks as Solorigate, Microsoft explains how the attackers got from the Sunburst malware to the Cobalt Strike loaders, and how they kept the components separated as much as possible to avoid being detected.

“What we found from our hunting exercise across Microsoft 365 Defender data further confirms the high level of skill of the attackers and the painstaking planning of every detail to avoid discovery,” Microsoft said.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

The tech giant has highlighted some of the more interesting OPSEC and anti-forensic methods used by the hackers. One technique involved ensuring that each compromised machine had unique indicators, such as different Cobalt Strike DLL implants, folder and file names, C&C domains and IPs, HTTP requests, file metadata, and launched processes.

“Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims,” Microsoft noted.

Advertisement. Scroll to continue reading.

The attackers also renamed their tools and placed them into folders to make them look as legitimate as possible. Other actions and activities listed by Microsoft include the following:

  • Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.
  • In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
  • Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.
  • We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.

While many of the tactics, techniques, and procedures (TTPs) leveraged by the attackers are already documented in the MITRE ATT&CK framework, Microsoft says it’s working with MITRE to ensure that the new techniques observed in these attacks will also be added to the framework.

Cybersecurity companies and researchers continue to analyze the activities of the SolarWinds hackers. FireEye this week released a white paper detailing the TTPs used by the SolarWinds hackers to target Microsoft 365 environments.

Cybersecurity firm Malwarebytes this week revealed that it too was targeted by the SolarWinds hackers — not through SolarWinds software, but by abusing applications with privileged access to Microsoft 365 and Azure environments.

Related: SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale

Related: Class Action Lawsuit Filed Against SolarWinds Over Hack

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights