Threat Intelligence Assessment – SolarWinds - Talion

Where it all began

December 2020, cybersecurity specialists FireEye released an alert addressing a breach against their estate. Initially, information was thin on the ground, analysts worldwide begin to speculate on the colossal fall out the community anticipated from this news, and we were not wrong.

Reports from FireEye detailed a novel never-before-seen attack method, utilised to infiltrate their network, and retrieve FireEye’s Red Team assessment tooling. For the first time in history, FireEye reacts and publicly release over 300 countermeasures for its customers to detect and block the attackers utilising these tools to compromise their own estate.
Within days, articles emerge regarding an intrusion campaign, trojanising SolarWinds Orion business software updates, delivering a malware strain dubbed ‘SUNBURST’. The technique is identified as the method utilised to gain access to FireEye’s network and with this detection, we begin to unearth some truths regarding the full extent of this compromise .

Victim analysis

Reports suggest the initial stage of this attack was launched as early as September 2019, this stage involved a ‘section process’ were 18,000 companies worldwide, were vetted to assess if they held a level of ‘high value’ to the attackers. 44% of these victims belonged to the Information Technology sector, with major security firms FireEye, Microsoft, Cisco, CrowdStrike, and Malwarebytes all to have publicly announced they were successfully compromised by the group involved. Entities connected to Think Tanks and the US government also fell victim to the attacks.

We do not yet have the full scope regarding victims connected to the attacks, for example at the time of writing, reports have found a large portion of the manufacturing sector were also targeted by the malware utilised by these attackers. At this stage, there is no evidence to suggest the second stage of this attack has been launched, but this does not rule out the potential for it to be launched in the future.

Threat Actor attribution

Currently, it is not confirmed if this is the work of a single threat group or multiple groups who have merged. Initial reports speculate that APT29, also known as Fancy Bear, were responsible for the attacks. Two weeks later accusations turned to Turla, as the remote access backdoors code overlaps with the group’s own ‘Kazuar’ malware. Recent reporting has attributed the attacks to UNC2452/Dark Halo. While the group in question has changed throughout the investigation, what has not changed is the geographical location and motivations of the group, which are all attributed to the Russian government, serving as espionage actors for the country.

Technical Timeline

From the very first infiltration, the attack appears to be well-orchestrated, with attackers utilising numerous decoy techniques to evade detection and sit hidden on the network. It is now believed that in September 2019, attackers begin to access the SolarWinds infrastructure, injecting test code to examine the platform’s boundaries. During this stage the attackers sat on the network for a few months, utilising clandestine methods, before retreating in November 2019, with the information needed to create the suitable tooling for the main attack.

February 2020, the Solorigate backdoor, also tracked as the SUNBURST backdoor, is deployed onto the network. This first tool is a fully functioning DLL backdoor, which lays dormant on the network, while the attackers selected their targets and prepared a unique Cobalt Strike implant and command and control (C2) infrastructure. After a month of reconnaissance work, the attackers activate Solorigate and begin the distribution of its SUNBURST backdoor to its targets in March 2020.

We now also know that a secondary strain dubbed ‘SunSpot’ was also deployed, this tooling replaced one of the source files on the SolarWinds Orion platform, to inject the SUNBURST backdoor code. The design of this tool reveals its operators invested time in ensuring the code kept their presence undetected to SolarWinds developers.

It is estimated that May 2020 was the point in which the hands-on-keyboard stage of the attack began, here a second strain of malware known a ‘TEARDROP’ was dropped. This strain, along with a secondary strain tracked as ‘Raindrop’, which have been identified as the missing link between the Solorigate DLL backdoor to the Cobalt Strike loader. These two strains display similar functionalities within the attack chain but displaying differences at code level and deployment methods. While it has been found that TEARDROP was installed via the SUNBURST strain, it currently remains a mystery how the Raindrop strain appeared on the system. This is still under investigation, one hypothesis being that the fillless PowerShell payloads ran by the SUNBURST strain, which left little forensic evidence may have deployed Raindrop.

The uncovering of these individual components serves as evidence that attackers ensured they kept the attack chain as separate as possible, ensuring that the uncovering of one component would not

expose the supply chain. It is this separation that aided attackers in keeping this operation covert for so long.

Closing Statement

Each week, a new piece to this puzzle is uncovered, giving us a grasp of the sheer scale and importance, this attack presents to the cyber community.  Over the next few months, while investigations are still being carried out, more reports will inevitably emerge shedding light on how this audacious attack was able to operate. While this sophisticated attack directly breached SolarWinds, we are witnessing many other organisations following in a cascading fashion, with more affected customers, partners, and vendors to emerge. We anticipate the attack will spark emotions of anger and retribution within the cyber community while writing this report it has emerged that the Russian government have issued an alert regarding the risk of US retaliation against Russia’s critical infrastructure. We still have a lot to learn from the SolarWinds saga, in an event that will unquestionably reshape the cyber landscape for years to come.

Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.

CISO Cyber Dinner – Register Your Interest!

Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.