Analysts Uncover More Servers Used in SolarWinds AttackRiskIQ: Discovery Sheds Light on Size of Cyberespionage Operation
Researchers at the security firm RiskIQ say they've discovered more than a dozen previously undocumented command-and-control servers used in the SolarWinds supply chain attack, showing that the cyberespionage operation was much larger than previously identified.
U.S. investigators say the Russian Foreign Intelligence Service, aka SVR, was responsible for the attack.
Many of these command-and-controls servers were hosted within the U.S. by cloud infrastructure service providers, including Amazon Web Services, to help the attackers avoid detection and blend with normal network traffic, RiskIQ says in a new report.
The 18 command-and-control servers identified by RiskIQ's Team Atlas were deployed as part of the second and third stages of the SolarWinds attack, researchers say. Many of these servers appear to have communicated with a weaponized version of the Cobalt Strike payloads that were delivered to victims' networks through droppers known as Teardrop and Raindrop, the RiskIQ report notes.
Why Use U.S.-Based Servers?
The use of command-and-control servers hosted on AWS was discussed at a U.S. Senate hearing in February, when several lawmakers questioned if Amazon had been forthcoming enough about the role its services may have played in the operation (see: Senate SolarWinds Hearing: 4 Key Issues Raised).
Attackers may have hosted some servers in the U.S. to help avoid scrutiny by the National Security Agency, the RiskIQ researchers note.
"Hosting traffic locally could … have been an attempt to avoid the NSA's prying eyes because the NSA cannot legally take action except in foreign countries," RiskIQ notes in the report. "The second-stage campaign infrastructure was primarily hosted in the U.S. By the third stage, the group hosted its infrastructure almost entirely in foreign countries. In this way, they avoided creating discernable patterns that could be traced while simultaneously making it harder for the U.S. government to investigate."
RiskIQ researchers have "high confidence" these command-and-control servers were used as part of the SolarWinds operation conducted by a Russian government-backed attack group it calls APT29, which is also known as Cozy Bear and The Dukes.
On April 15, the Biden administration accused the Russian Foreign Intelligence Service of conducting the SolarWinds attack as well as interfering in the 2020 U.S. elections. The White House announced sanctions that targeted the Russian government, which denies any involvement in the attack (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
Size and Scope
When the SolarWinds attack was first discovered in December 2020, initial reports from FireEye and Microsoft found that the attackers had access to about 30 command-and-control servers. But RiskIQ's discovery of another 18 servers shows that the operation was much larger than previously believed.
"The findings indicate that the SolarWinds espionage campaign's network infrastructure footprint is significantly larger than previously identified in U.S. government and private industry reporting," according to the report. The discovery of 18 more servers could point to additional victims and compromised organizations, RiskIQ says.
Attackers installed a Trojanized software update for the SolarWinds' Orion network monitoring tool that was downloaded by 18,000 customers. The initial attack vector that allowed this operation to take place remains under investigation (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
After the malicious software update, the attackers planted a backdoor that FireEye calls "Sunburst," which waited about two weeks before contacting the operators. When this malware was activated, it allowed the threat group to disable security tools and establish a beachhead within these networks.
After gathering initial information about these networks, the attackers narrowed down the list of victims to target with additional malware. This included about 100 companies and nine U.S. government agencies, including the Commerce, Homeland Security and Energy departments.
From here, the attack moved to its second and third stages, in which the attackers used droppers, including Raindrop and Teardrop, to install other malicious code, such as the Cobalt Strike Beacon. This is also where the command-and-control infrastructure that RiskIQ discovered came into play.
"The threat actor behind this campaign took exceptional care to ensure analysis and incident response would be impeded," says Kevin Livelli, director of threat intelligence for RiskIQ's Team Atlas. "They designed their first stage malware to emit only random jitter after a two-week period, thereby outliving the average lifespan of logs on most endpoint detection and response products. They also broke patterns in the type of malware used in each stage, the manner in which their infrastructure was configured, as well as where it was hosted."
During the second stage, the attackers conducted additional mapping of the targeted networks and began to collect data and create ways to maintain persistence, according to previous reports. Other malware was deployed during the third stage.
Livelli notes that the malware used in the second stage of the attack was likely designed for reconnaissance, with the command-and-control servers communicating with the Cobalt Strike implants.
While the command-and-control servers associated with the second stage of the attack have now been disabled, Livelli notes that some servers used during the third stage remain active.
Asked about the RiskIQ report's findings, a spokesman for the Cybersecurity and Infrastructure Security Agency says the agency "reviews reporting from a wide variety of sources as part of the investigative process, which is still ongoing,"
Besides hosting the command-and-control servers on cloud infrastructure based in the U.S. to help avoid detection by the NSA, the attackers used other methods to hide their presence, according to RiskIQ.
These included purchasing domains through third-party resellers and at domain auctions, which then obscured ownership information. The attackers also repurchased expired domains over several years, the report notes.
The analysis also found that the attackers purchased legitimate Secure Sockets Layer certificates through a company called Sectigo to help encrypt their network traffic. Livelli says this continued a pattern of carefully hiding the operation's true motives.
"What's significant … is how the threat actor chose to use them," Livelli says. "It is common to observe certificates used shortly after purchase. But as we noted in the report, a period of roughly between five and 40 days elapsed between the purchase of the certificate and use in the SolarWinds campaign."