Research Uncovers New Command Servers Used in SolarWinds Campaign
Researchers at RiskIQ have discovered 18 additional command servers used in the hacking campaign, which may help identify more victims. They also spotted mysterious server activity in February 2020.
Researchers have uncovered eighteen additional command-and-control servers used in the SolarWinds hacking campaign, indicating that the operation was broader in scope than previously known. The servers — which the hackers used to communicate with infected machines and send additional malware to them — may help point investigators to previously unidentified victims, according to researchers with RiskIQ’s Atlas Team, who are releasing the findings today.
In the case of previous command servers identified with the campaign, the attackers used different servers for each victim. If the pattern holds true for the eighteen new servers, this could “very likely represent eighteen additional victims,” says Kevin Livelli, RiskIQ’s director of threat intelligence.
Investigators had previously identified about three dozen command-and-control servers used in the operation. The new findings expand that infrastructure by more than half.
But RiskIQ also uncovered something else — evidence that two servers previously identified as part of the hackers’ infrastructure were active on February 27, 2020, evidently pushing malware out to infected victims. The two servers, which used the domain names globalnetworkissues[.]com and seobundlekit[.]com, were part of the so-called “second-stage” operation that delivered additional malware to victims after they were already infected with compromised SolarWinds software. The only problem? SolarWinds says that none of its customers were infected with the company’s compromised software until late March.
If the two servers were pushing out second-stage malware to victims in February, this raises the possibility that either a previously unknown version of the SolarWinds software was compromised and infected customers in February, or the attackers were pushing second-stage malware to victims who had been infected in some other way, not through the compromised SolarWinds software. Livelli says he doesn’t know what to make of it. SolarWinds did not respond to an inquiry from Zero Day.
But there is another possible explanation for the activity.
The new information shifts the campaign’s previously established timeline.
Sometime in or before September 2019, hackers believed to be associated with Russia’s SVR intelligence group, compromised the network of SolarWinds, a Texas-based company that makes software tools for monitoring and maintaining computer networks. They did so with the intent of inserting a malicious backdoor into SolarWinds’ trusted Orion software in order to infect its corporate and government customers.
In October, the hackers conducted a test run to see if they could slip the backdoor into the SolarWinds software without being detected, although for the test they used benign code. The test was successful, and the code got passed to SolarWinds customers without anyone noticing at the time.
The hackers left or were quiet inside the SolarWinds network until February when they introduced a malicious tool into the build server that SolarWinds uses to compile and sign source code before distributing it to customers. The tool was compiled and placed on SolarWinds’ build servers on Feb. 20, 2020. There it sat, waiting for an employee to compile a new update to the SolarWinds’ Orion software. Once that occurred, the tool would slip a malicious backdoor, which researchers have dubbed Sunburst, into the SolarWinds software — right before the automated system compiled and digitally signed it with an authentic SolarWinds certificate. Sunburst was digitally signed with the certificate on March 24, 2020. On March 26, the Orion software, with the embedded Sunburst backdoor, was placed on the SolarWinds server for downloading by customers.
“All I can tell you is we see evidence of there being activity associated with the second-stage malware in February. [A] group of intended targets was receiving malware at the end of February.”
SolarWinds has said three versions of its Orion software contained a backdoor that infected customers: version 2019.4 HF 5 (released to customers March 26, 2020); version 2020.2 (released June 4, 2020), and version 2020.2 HF 1 (released June 24, 2020). About 16,000 customers downloaded these compromised software packages.
Once on customer systems, the backdoor sat quietly for about two weeks to avoid detection before reaching out to a command-and-control server to check in and obtain instructions. The hackers managing those servers then chose about 100 of these victims — across private and government sectors — and dropped additional malware onto these high-value machines for the second stage of the operation. This second-stage malware helped the attackers move through the infected networks, conduct reconnaissance and steal employee credentials to burrow deeper into systems.
Last month, Microsoft announced that it had found three new pieces of malware that were part of a third stage of the operation. These tools are “tailor-made for specific networks,” according to Microsoft, and open a new backdoor to allow the attackers to maintain their presence on the infected networks for a long time while concealing their activity and avoiding detection.
Notably, while the servers used in the first and second stages of the operation are no longer active, that’s not the case with the third-stage command servers.
“The third-stage infrastructure is still active,” says Livelli.
Livelli says he believes that like the test run the hackers conducted with the Sunburst backdoor in October 2019 , they probably also conducted test runs of the second- and third-stage malware.
“I suspect strongly, based on that precedent [in 2019] and the highly targeted nature of this campaign that the same thing was done with the [other malware],” he says. “We haven’t seen evidence of it, but I expect that to come as research continues.”
Could this explain the mysterious February 2020 activity on the globalnetworkissues[.]com and seobundlekit[.]com servers? Could those servers have been used to conduct a test run for the second-stage malware?
Livelli doesn’t venture a guess.
“All I can tell you is we see evidence of there being activity associated with the second-stage malware in February ,” Livelli told Zero Day. “[A] group of intended targets was receiving malware at the end of February.”
With regard to the eighteen new servers RiskIQ has discovered, these were part of the operation’s second stage as well, with responsibility for delivering additional malware to systems already infected with the compromised SolarWinds software.
Finding these servers took extensive analysis says Livelli, using RiskIQ’s tools for analyzing internet activity.
Researchers generally map a campaign’s infrastructure by tracking the IP addresses and domains used in the operation and looking for patterns in how and where they were registered, among other things. Nation-state groups, for example, will sometimes register servers in a cluster of activity before a campaign.
But in this case, the hackers assiduously avoided patterns to thwart investigators, which helped them both to remain undetected, prevent researchers from mapping their infrastructure once they were detected and also avoid attribution. Although the U.S. government has attributed the campaign to Russia’s SVR — also known as APT 29 — the hackers avoided techniques and patterns and servers that forensic investigators working for security companies would typically associate with the SVR or with other nation-state hacking group from Russia.
For example, they used different command-and-control servers for each victim and registered the servers and domains under different names and at different times over several years. And instead of purchasing new domains, they purchased existing domains through re-sellers and auctions, Livelli says. These domains were previously owned by legitimate people or businesses, which gave the domains legitimacy and history, making them seem less suspicious. Many of the domains also sat unused for a year or more after purchase, then they were put into service for only a short time in the SolarWinds hacking campaign before being quickly decommissioned once they served their purpose.
“The third-stage infrastructure is still active,” says Livelli. “Which [systems] it's in, that I can’t tell you.“
The hackers also changed up the location of their command servers. The ones used for the first stage of the campaign to communicate with the Sunburst backdoor, were all located inside the U.S. Some of the command servers used in the second stage of the operation to deliver more malware to victims were in the U.S., while others were outside the country. But nearly all of the servers used to deliver the third-stage malware were outside the U.S.
Despite all of these attempts at obfuscation, RiskIQ was able to spot patterns that led them to the eighteen new servers. This included patterns in the HTTP banner responses of the servers. A banner response reveals basic information about a server and its configuration to computers that contact it.
They also found a pattern in the SSL certificate the hackers used to encrypt traffic going to and from their command servers. The majority of the certificates were issued by a company called Sectigo; and they were mostly issued a week or more before the certificates were deployed on servers — in some cases more than 40 days prior. RiskIQ was then able to search for domains with matching banner responses that also used Sectigo certificates and had other criteria.
Livelli says that although most security firms have closed their SolarWinds investigations at this point, he still expects new malware will be found.
“We strongly suspect that there is other malware associated with this campaign that has not yet come to light,” he told Zero Day. And this would likely mean there are also additional command servers to be found as well.
[If you found this story valuable, please consider sharing it.]