Microsoft on Wednesday shared more details about the tactics, techniques, and procedures (TTPs) adopted by the attackers behind the SolarWinds hack to stay under the radar and avoid detection, as cybersecurity companies work toward a “clearer picture “from one of the most sophisticated attacks in recent history.
Calling the threat actor “skilled and well-organized operators following operations security best practices (OpSec),” the company said the attackers went out of their way to ensure the initial backdoor (Sunburst aka Solorigate) and The post-compromised implants (Teardrop and Mae Raindrop) are separated as much as possible to prevent attempts to identify their malicious activity.
“The attackers behind Solorigate are skilled campaign operatives who carefully planned and executed the attack, remaining difficult while maintaining perseverance,” said researchers from Microsoft 365’s Defense Research Team, Microsoft’s Threat Intelligence Center (MSTIC) , and Microsoft’s Cyber Defense Operations Center (CDOC).
Although the exact identities of the tracked group like StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Unit 42 Palo Alto 42), and Dark Halo (Volexity) remain unknown to date, the US government made Earlier this month the espionage campaign formally tied up a group likely of Russian origin.
Variety of Tactics to Stay Undetected
Microsoft’s timeline of the attacks shows that the fully functional Sunburst DLL outdoors was compiled and deployed on the Orion SolarWinds platform on February 20, and was subsequently distributed as interrupting updates sometime in late March .
A nearly two-month reconnaissance period to profile its targets – something that requires stealth persistence to remain undetected and gather valuable information – paved the way for the use of Cobalt Strike implants on selected victim networks in May and removal of Sunburst from SolarWinds builds environment on June 4.
But few definitive clues have found answers about how and when the transition from Sunburst to Raindrop is, even if the attackers appear to have deliberately separated the Cobalt Strike loader operation from the SolarWinds process as an OpSec measure.
The idea is that if the Cobalt Strike implants were discovered on target networks, it would not reveal the threatened SolarWinds binary and the supply chain attack that led to its deployment in the first place.
The findings also make it clear that while hackers rely on a variety of attack vectors, the core of the espionage operation was trojanized SolarWinds software:
- Avoid methodically shared indicators for all threatened hosts by using Cobalt Strike DLL implants on all systems
- Camouflage malicious tools and binaries to mimic existing files and programs on the compromised machine
- Disables event logging using AUDITPOL before hands-on keyboard activity and enables it back on completion
- Create special firewall rules to reduce outgoing packets for certain protocols before running noisy network numbering activities that were later removed after the network survey
- Perform lateral removal activities only after disabling security services on targeted guests
- Allegedly using timestomping to change schedules of artefacts and triggering equipment drying procedures to prevent malicious DLL implants from being discovered
Adopt a Trust Thinking None
“This attack was at once sophisticated and widespread,” Microsoft said. “The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques and procedures (TTPs) were individually common.”
To protect against such attacks in the future, the company recommends that organizations adopt a “no-trust mentality” to ensure least privileged access and minimize risks by enabling multi-factor authentication.
“With Solorigate, the attackers took advantage of broad-role assignments, permissions that exceeded role requirements, and in some cases left accounts and applications that should have had no permissions at all,” said Alex Weinert, Microsoft’s identity security director.