Microsoft today shared details on how the SolarWinds hackers were able to remain undetected by hiding their malicious activity inside the networks of breached companies.
This previously unknown information was disclosed by security experts part of the Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC).
The report they published earlier today shares new details regarding the Solorigate second-stage activation — the steps and tools used to deploy custom Cobalt Strike loaders (Teardrop, Raindrop, and others) after dropping the Solorigate (Sunburst) DLL backdoor.
SolarWinds hackers’ evasion tactics
As Microsoft’s security experts found, the hackers who orchestrated the SolarWinds attack showcased a range of tactics, operational security, anti-forensic behavior that drastically decreased the breached organizations’ ability to detect their malicious actions.
“[T]he attackers behind Solorigate are skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection,” Microsoft reveals.
“During our in-depth analysis of the attacker’s tactics, techniques, and procedures (TTPs) seen through the lens of Microsoft 365 Defender’s rich telemetry, we observed a few techniques that are worth disclosing to help other defenders better respond to this incident and use hunting tools like Microsoft 365 Defender advanced hunting or Azure Sentinel queries to search for potential traces of past activity.”
Some examples of SolarWinds hackers’ evasion tactics as discovered and highlighted by Microsoft:
- Methodic avoidance of shared indicators for each compromised host by deploying custom Cobalt Strike DLL implants on each machine
- Camouflage and blending into the environment by renaming tools and binaries to match files and programs on the compromised device
- Disabling event logging using AUDITPOL before hands-on keyboard activity and enabling back afterward
- Creating firewall rules to minimize outgoing packets for certain protocols before running noisy network enumeration activities (removed after these operations were completed)
- Carefully planning lateral movement activities by first disabling security services on targeted hosts
- Also believed to have used timestomping to change artifacts’ timestamps and leveraged wiping procedures and tools to hinder malicious DLL implants discovery in affected environments.
Additionally, Microsoft provides a list of the most fascinating and unusual tactics, techniques, and procedures (TTPs) used in these attacks.
The company also said that it’s “actively working with MITRE to make sure that any novel technique emerging from this incident is documented in future updates of the ATT&CK framework.”
Supply-chain attack timeline
A detailed timeline of these attacks shows that the Solorigate DLL backdoor was deployed in February and deployed in compromised networks during late-March (SolarWinds also provided an attack timeline overview earlier this month).
After this stage, the threat actor prepared the custom Cobalt Strike implants and selected targets of interest until early-May when the hands-on attacks most likely started.
“The removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could indicate that, by this time, the attackers had reached a sufficient number of interesting targets, and their objective shifted from deployment and activation of the backdoor (Stage 1) to being operational on selected victim networks, continuing the attack with hands-on-keyboard activity using the Cobalt Strike implants (Stage 2),” Microsoft adds.
Microsoft uncovered these new details during their ongoing investigation of the SolarWinds supply-chain attack orchestrated by the threat actor tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), and Dark Halo (Volexity).
While the threat actor’s identity remains unknown, a joint statement issued by the FBI, CISA, ODNI, and the NSA earlier this month says that it is likely a Russian-backed Advanced Persistent Threat (APT) group.
Kaspersky also made a connection between the SolarWinds hackers and the Russian Turla hacking group after finding that the Sunburst backdoor has feature overlaps with the Kazuar backdoor tentatively linked to Turla.