Skip to main content

New analysis uncovers extensive SolarWinds attack infrastructure

Privacy
(Image credit: Shutterstock / Valery Brozhinsky)

Cybersecurity researchers that have been tracking the infrastructure footprint of SolarWinds threat actors claim the network of servers used in the attack is "significantly larger than previously identified".

Back in December 2020, a massive cyber-espionage effort was discovered that tainted the software supply chain via a rigged update to SolarWinds software. Pinned on state-sponsored Russian hackers, the hack was found to have affected nine federal agencies, in addition to many private-sector companies.

There have been several congressional hearings regarding the SolarWinds hack, and the incident also led to sanctions on several Russian cybersecurity companies. However, no one has been able to determine the true extent of the hack, in part because tracing the steps of the threat actors has been quite challenging. 

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

“The threat actor, identified by the U.S. government as APT29 but tracked in the private industry as UNC2452, took great pains to avoid creating the type of patterns that make tracing them easy,” said RiskIQ's intelligence analysis team in a new report.

More targets?

According to its analysis, RiskIQ has identified an additional 18 command and control (C&C) servers that communicated with the malicious payloads that were dropped as part of the cyberattack. 

In the report, RiskIQ said the attack had several stages. In the first-stage, the threat actors dropped the Sunburst backdoor, which was designed to identify, avoid, and disable different antivirus and endpoint detection and response (EDR) products.

The second and third stages are said to have included custom droppers (now referred to as Teardrop and Raindrop) together with additional malware and a tainted version of the Cobalt Strike pentesting tool. 

RiskIQ identified the new C&C servers while analyzing the second stage of the attack. The team picked up modified Cobalt Strike beacons and then correlated them with the SSL certificates used by the SolarWinds hackers to identify the extra servers, which “will likely lead to newly identified targets".

The cybersecurity company also notes that it has already notified the US Computer Emergency Readiness Team (US-CERT) of its findings.

Via ZDNet