The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection."
As further proof of this, new research published today shows that the threat actor carefully planned each stage of the operation to "avoid creating the type of patterns that make tracking them simple," thus deliberately making forensic analysis difficult.
By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jump in the attacker's known command-and-control footprint.
The "hidden patterns" were uncovered through an analysis of the SSL certificates used by the group.
The development comes a week after the U.S. intelligence agencies formally attributed the supply chain hack to the Russian Foreign Intelligence Service (SVR). The compromise of the SolarWinds software supply chain is said to have given APT29 (aka Cozy Bear or The Dukes) the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the U.S. government.
The attacks are being tracked by the cybersecurity community under various monikers, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), and Dark Halo (Volexity), citing differences in the tactics, techniques, and procedures (TTP) employed by the adversary with that of known attacker profiles, counting APT29.
"Researchers or products attuned to detecting known APT29 activity would fail to recognize the campaign as it was happening," said Kevin Livelli, RiskIQ's director of threat intelligence. "They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign."
Earlier this year, the Windows maker noted how the attackers went to great lengths to ensure that the initial backdoor (SUNBURST aka Solorigate) and the post-compromise implants (TEARDROP and RAINDROP) stayed separated as much as possible so as to hinder efforts to spot their malicious activity. This was done so that in the event the Cobalt Strike implants were discovered on victim networks; it wouldn't reveal the compromised SolarWinds binary and the supply chain attack that led to its deployment in the first place.
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
But according to RiskIQ, this is not the only step the APT29 actor took to cover its tracks, which included —
- Purchasing domains via third-party resellers and at domain auctions under varying names, in an attempt to obscure ownership information and repurchasing expired domains hitherto owned by legitimate organizations over a span of several years.
- Hosting the first-stage attack infrastructure (SUNBURST) entirely in the U.S., the second-stage (TEARDROP and RAINDROP) primarily within the U.S., and the third-stage (GOLDMAX aka SUNSHUTTLE) mainly in foreign countries.
- Designing attack code such that no two pieces of malware deployed during successive stages of the infection chain looked alike, and
- Engineering the first-stage SUNBURST backdoor to beacon to its command-and-control (C2) servers with random jitter after a two-week period, in a likely attempt to outlive the typical lifespan of event logging on most host-based Endpoint Detection and Response (EDR) platforms.
"Identifying a threat actor's attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns," Livelli said.
"However, our analysis shows the group took extensive measures to throw researchers off their trail," suggesting the threat actor took extensive measures to avoid creating such patterns.