Microsoft on Wednesday released another report detailing the activities and the methods of the threat actor behind the attack on IT management solutions firm SolarWinds, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).
The attackers, which some believe to be sponsored by Russia, breached SolarWinds’ systems in 2019 and used a piece of malware named Sundrop to insert a backdoor tracked as Sunburst into the company’s Orion product. Sunburst was delivered to thousands of organizations, but a few hundred victims that presented an interest to the attackers received several other pieces of malware and many of their systems were compromised using hands-on-keyboard techniques.
In the case of these victims, the hackers used loaders named Teardrop and Raindrop to deliver Cobalt Strike payloads.
In its latest report on the SolarWinds attack, which it tracks as Solorigate, Microsoft explains how the attackers got from the Sunburst malware to the Cobalt Strike loaders, and how they kept the components separated as much as possible to avoid being detected.
“What we found from our hunting exercise across Microsoft 365 Defender data further confirms the high level of skill of the attackers and the painstaking planning of every detail to avoid discovery,” Microsoft said.
The tech giant has highlighted some of the more interesting OPSEC and anti-forensic methods used by the hackers. One technique involved ensuring that each compromised machine had unique indicators, such as different Cobalt Strike DLL implants, folder and file names, C&C domains and IPs, HTTP requests, file metadata, and launched processes.
“Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims,” Microsoft noted.
The attackers also renamed their tools and placed them into folders to make them look as legitimate as possible. Other actions and activities listed by Microsoft include the following:
- Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.
- In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
- Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.
- We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.
While many of the tactics, techniques, and procedures (TTPs) leveraged by the attackers are already documented in the MITRE ATT&CK framework, Microsoft says it’s working with MITRE to ensure that the new techniques observed in these attacks will also be added to the framework.
Cybersecurity companies and researchers continue to analyze the activities of the SolarWinds hackers. FireEye this week released a white paper detailing the TTPs used by the SolarWinds hackers to target Microsoft 365 environments.
Cybersecurity firm Malwarebytes this week revealed that it too was targeted by the SolarWinds hackers — not through SolarWinds software, but by abusing applications with privileged access to Microsoft 365 and Azure environments.