Microsoft today shared details about how the SolarWinds hackers managed to remain undetected, hiding their malicious activity within the networks of breached companies.
This previously unknown information was released by security experts who are part of the Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC).
The previously published report today shares new details about Solorigate’s second-stage activation – the steps and tools used to deploy custom Cobalt Strike loaders (Teardrop, Raindrop and others) after releasing the Solorigate DLL backdoor (Sunburst).
Avoidance tactics by SolarWinds hackers
As Microsoft security experts found out, the hackers who orchestrated the SolarWinds attack exhibited a series of tactics, operational security and anti-forensic behavior that dramatically decreased the ability of violated organizations to detect their malicious actions.
“[T]The attackers behind Solorigate are skilled and methodical operators who follow operations security best practices (OpSec) to minimize traces, stay under the radar and avoid detection, “reveals Microsoft.
“During our in-depth analysis of the attacker’s tactics, techniques and procedures (TTPs) seen through the Microsoft 365 Defender advanced telemetry lens, we observed some techniques that are worth spreading to help other defenders better respond to this incident and use search, such as Microsoft 365 Defender advanced search or Azure Sentinel queries to search for possible traces of past activity. “
Some examples of SolarWinds hacking evasion tactics, as discovered and highlighted by Microsoft:
- Methodical avoidance of shared indicators for each compromised host, deploying DLL Cobalt Strike implants on each machine
- Camouflage and blend into the environment by renaming tools and binaries to combine files and programs on the compromised device
- Disable event logging using AUDITPOL before practical keyboard activity and activate again afterwards
- Creating firewall rules to minimize outbound packets for certain protocols before performing noisy network enumeration activities (removed after completing these operations)
- Carefully planning lateral movement activities, first disabling security services on target hosts
- It is also believed to have used timestomping to change the timestamps of artifacts and to take advantage of cleaning procedures and tools to prevent the discovery of malicious DLL implants in affected environments.
In addition, Microsoft provides a list of the most fascinating and unusual tactics, techniques and procedures (TTPs) used in these attacks.
The company also said it is “working actively with MITER to ensure that any new techniques emerging from this incident are documented in future updates to the ATT & CK structure.”
Supply chain attack schedule
A detailed timeline of these attacks shows that the Solorigate DLL backdoor was deployed in February and deployed on compromised networks during late March (SolarWinds also provided an overview of the attack timeline earlier this month).
After this stage, the threat actor prepared Cobalt Strike’s custom implants and selected the targets of interest until early May, when practical attacks likely began.
“The removal of the backdoor generation function and compromised code from SolarWinds binaries in June may indicate that by this time, the attackers had reached a sufficient number of interesting targets and their goal changed from deploying and activating the backdoor (stage 1 ) be operational on selected victim networks, continuing the attack with manual keyboard activities using Cobalt Strike implants (Stage 2) “, adds Microsoft.
Microsoft discovered these new details during the ongoing investigation of the attack on the SolarWinds supply chain orchestrated by the threat actor tracked down as StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42) and Dark Halo (Volexity).
Although the identity of the threat actor remains unknown, a joint statement issued by the FBI, CISA, ODNI and NSA earlier this month says that it is likely to be a Russian-backed Advanced Persistent Threat (APT) group.
Kaspersky also made a connection between SolarWinds hackers and Russian hacker group Turla after discovering that the Sunburst backdoor has overlapping features with the Kazuar backdoor provisionally linked to Turla.