Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

SolarWinds Likely Hacked at Least One Year Before Breach Discovery

An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.

An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.

SolarWinds has confirmed that sophisticated cyberspies, which are believed to be sponsored by the Russian government, compromised the software build system for its Orion product and delivered trojanized updates to as many as 18,000 customers between March and June 2020.

However, an analysis of the threat actor’s infrastructure conducted by threat intelligence company DomainTools, which specializes in DNS and domain analysis, suggests that SolarWinds was breached at some point in 2019.

An investigation conducted by threat intelligence firm ReversingLabs showed that the first version of the Orion software modified by the hackers was actually from October 2019. This version, 2019.4.5200.8890, was only slightly modified and it did not contain the malicious backdoor code, but it indicates that this is when the attackers first started making tests for modifying the software. The actual breach of SolarWinds infrastructure likely took place before this date.

According to DomainTools, the attackers likely started infrastructure management and staging in December 2019 and in February 2020 they started operationalizing command and control (C&C) domains.

The threat group started delivering its backdoored updates in March, but the malware, tracked as SUNBURST, is designed to remain dormant for up to two weeks, which makes it more difficult to detect and which resulted in communications from victim devices only starting in April.

SolarWinds attack timeline

“The SolarWinds intrusion was a long-planned event, occurring in distinct stages: supply chain breach, software modification testing, infrastructure development, then final deployment,” explained Joe Slowik, senior security researcher at DomainTools.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Advertisement. Scroll to continue reading.

Slowik also pointed out that while some media reports citing US government sources have attributed the SolarWinds attack to Russia-linked threat actor APT29 (aka Cozy Bear, YTTRIUM and The Dukes), it’s possible that it was actually a different group whose activities have been tied to Russian intelligence services. This is based on the fact that Microsoft, FireEye and Volexity, which in the past analyzed APT29, have either assigned new names to this activity or they haven’t mentioned the link to a known actor.

In the meantime, the names of more victims have come to light. Microsoft confirmed that it detected some of the malicious binaries on its own systems and said it identified 40 customers that appeared to be high-value targets (i.e. they received later-stage payloads).

Several U.S. government organizations, including the Energy Department, have also been named as victims, and an analysis of the domain generation algorithm used by the SUNBURST malware revealed the names of hundreds of potential victims.

One of the latest victims identified through this method was U.S. cable and internet services provider Cox Communications. Kaspersky reported on Friday that a major American telecommunications company had been hit, but it did not identify it. However, Reuters revealed that it was Cox.

Related: Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales

Related: FBI, CISA, ODNI Describe Response to SolarWinds Attack

Related: SolarWinds Removes Customer List From Site as It Releases Second Hotfix

Related: Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...