Months after the initial revelation of the intrusion at SolarWinds, researchers have discovered that the footprint of the infrastructure used by the attackers is much larger than previously thought, a finding that may lead to the eventual discovery of new victims in the future.
The findings from RiskIQ show that APT29, also known as Cozy Bear, spent quite a bit of time and energy setting up the infrastructure in such a way that it could avoid creating any recognizable patterns for researchers to latch on to. Though the federal government has named APT29 as the team behind these attacks, private researchers have not. The RiskIQ researchers discovered 18 previously unknown command-and-control servers used by the attackers, a number that represents a 56 percent increase in the number of known C2 servers for this operation. The RiskIQ teaam was surprised at the volume of previously unknown servers it found.
"Four months have elapsed since the first research into this campaign was published. And lots of eyes have been on this campaign. Many capable and prominent private companies have made their findings public, as has the U.S. government. That we were the first to publicly disclose this attacker infrastructure was therefore unexpected," said Kevin Livelli, Director, Threat Intelligence, Team Atlas at RiskIQ.
Some of the attackers’ servers were located in the United States, while others were scattered across the globe. This was not just a result of where they could find the servers they needed, but appears to be an intentional decision to prevent easy tracking and investigation should the operation be discovered.
“RiskIQ's Team Atlas noted that the first-stage infrastructure was hosted entirely in the U.S., a move we assess was likely done to avoid raising suspicion (domestic network traffic is more plausible) as well as to avoid the prying eyes of the NSA, which is restricted by law to taking action only in foreign countries,” RiskIQ said in a new report on the infrastructure investigation.
“The second-stage infrastructure was only partially hosted in the U.S. By the third-stage, the campaign’s infrastructure was hosted almost entirely in foreign countries. In this way, the threat actor avoided creating discernable patterns that could be traced while simultaneously making it harder for the U.S. government to investigate.”
Many of the domains were ‘aged’ (left inactive) for up to a year prior to being deployed."
The initial compromise of SolarWinds, of course, led to the attackers compromising a build server for the company’s Orion software platform and inserting malicious code into an update that was then downloaded and installed by more than 16,000 customers. Only a small fraction of those organizations were targeted for subsequent exploitation, although the true number of compromised companies is unknown. The malware tools used by the attackers in these operations were custom built and were installed in several discrete stages, including the first stage Sunburst implant, and the use of the Cobalt Strike penetration testing framework as part of the second stage. Each stage served a different purpose, and the RiskIQ researchers found that some of the tools had been tested prior to the SolarWinds attack.
“The third-stage introduced an implant called GOLDMAX (Microsoft) / SUNSHUTTLE (FireEye) designed for long-term persistence. Its C2 implementation allowed it to blend in with normal network traffic. RiskIQ’s Altas Team identified evidence that it was tested prior to use on the intended targets. We strongly suspect that there were earlier versions of SUNBURST and modified Cobalt Strike payloads that were similarly deployed, and that other later-stage payloads are likely to exist in addition to SIBOT (Microsoft) / MISPRINT,” the report says.
In addition to identifying the 18 new C2 servers, RiskIQ also dug into the domains used by APT29 during the operation and found that the group applied the same level of care to pattern avoidance in its registration and use of domains. Some groups tend to rely on essentially disposable infrastructure, domains and servers that they register quickly with the assumption that they will be found and can be abandoned quickly. But the SolarWinds attackers took the opposite tack.
“RiskIQ's Team Atlas found that this infrastructure was registered under different names and at different times over several years to avoid establishing a traceable pattern. We assess that the domains were likely purchased from resellers or at auction and most were used previously by legitimate persons or businesses,” the report says.
“Many of the historical records of their acquisition stopped with a third party. Many of the domains were ‘aged’ (left inactive) for up to a year prior to being deployed. After use, the second and third-stage domains were decommissioned in small tranches, usually a few each month.”
RiskIQ's Livelli said the attackers' attention pattern avoidance clearly served them well.
"The threat actor was particularly dedicated to avoiding patterns, and did so in all aspects of their tradecraft, which is something not commonly seen. Perhaps the most significant measure of success in this regard has been the inability of the private sector to attribute the campaign to APT29 even after the U.S. government made the link. The tactics, techniques, and procedures (TTP) simply did not match those of previously known groups," he said.