Posted on Feb 25, 2021
On December 18, 2020, SecurityScorecard was the first company to publish original research finding, amongst other things, that the SolarWinds attack began in October 2019, at least 5 months earlier than initially suspected. Subsequently, Microsoft and Palo Alto Networks each validated and have continued to validate our findings.
SecurityScorecard’s Investigations & Analysis Team continues to conduct research to learn as much as possible about the attacker and identify additional victims or potential victims before they are attacked. Our additional research has concluded the following:
We have included a short FAQ section at the end to further clarify our ongoing research.
SecurityScorecard undertook its own investigation of the SolarWinds attack beginning in December 2020 to improve our ability to identify malicious activity for the benefit of the millions of organizations we rate. We are publishing our findings again because information-sharing is critical to improve the country’s defensive capabilities.
The SolarWinds attack occurred in two stages. First, the attacker placed a piece of malware now known as SUNBURST within the SolarWinds updates for its Orion platform (SolarWinds.Orion.Core.BusinessLayer.dll). This malware was downloaded by SolarWinds customers and allowed to install itself on the victims’ systems due to its valid security certificate.
SUNBURST performed basic reconnaissance for the attacker, identifying systems that were of interest to the attacker. The attacker was then able to use a customized dropper, TEARDROP – a malicious DLL (dynamic link library) file that is delivered via the SUNBURST Trojan as one of the payloads – to install a similarly customized version of a common tool called Cobalt Strike on the systems of interest. Cobalt Strike, which is used by ethical hackers and criminals alike, allowed the attacker to find and exfiltrate data of interest from the victims’ systems.
In this case, we identified that the method for implementing a stream cipher algorithm to encrypt Cobalt Strike is unique (i.e., this is not taken from a common Windows library). Further, Cobalt Strike is encrypted via an XOR based stream cipher as a buffer inside the TEARDROP malware binary. The buffer is decrypted and loaded into memory on the targeted victim’s system using a stream cipher algorithm. The beacon now essentially lives in memory without ever touching the system’s hard drive (also known as a FileLess attack). Additionally, this stream cipher code is a unique implementation by the malware author that also indicates another unique fingerprint we can track. As we analyzed the malware further, we found that the way Cobalt Strike is loaded into Windows process memory depends on the CPU architecture (x86 or x64). For 64bit systems it is loaded directly into %windir%\sysnative\print.exe that is found to be a legitimate Windows process.
This technique of process injection is typically used by malware droppers to hide subsequent code in trusted processes. This is notable since the malware was implanted through expected SolarWinds updates using a valid SolarWinds digitally authenticated certificate. The attacker took advantage of the trust model implicit in signed software certificates. The “valid” certificate allowed the attackers to be a step ahead since the victims’ security controls would not flag the TEARDROP implant as malicious and exfiltration traffic from the SolarWinds servers. Instead, it was seen as legitimate and expected behavior by SolarWinds software. The digital certificate system is a trust mode, but it may be time to move to a “trust but verify” model using sumchecking technology, and to verify that software contains only that code which the software builder has created.
SecurityScorecard traced back the existence of TEARDROP-related code to at least 2017, according to executable file timestamps and in-the-wild submission dates on publicly available malware analysis platforms. This suggests that TEARDROP was not created primarily for use in the SolarWinds attack, rather this implant has been used in previous unknown operations.
Malware creation time-stamp data (from VirusTotal)
We wanted to better understand who the victims of this attack were and where they were located as this would provide more geo-political insight into the potential motivations of the attacker. We examined DNS requests and NetFlow information to understand the connections made to the known TEARDROP command and control (C2) infrastructure. Again, APT actors often reuse infrastructure so the traffic signature of the C2 infrastructure could provide additional attribution evidence.
From our analysis of DNS requests made to the known TEARDROP malware C2 infrastructure, it was clear that an overwhelming majority of the connections originated from infected systems within the United States. Since SolarWinds claimed to have over 250,000 customers globally, this prevalence in the United States demonstrates motivation in the placement of the second stage implant and allows us to infer that the attacker was interested in U.S.-based organizations.
Network connection requests to TEARDROP C2s
The value of attribution is to understand the adversary’s intent and capabilities. This helps organizations to properly identify anomalous activity, understand the impact, and implement defensive measures to mitigate the risk.
When analyzing any malware, we often look for unique code or the implementation of shared code to look for unique fingerprints. Nevertheless, attribution is difficult and technical data alone does not always indicate who is behind the attacks. The elements of code DNA in common with TEARDROP that were discovered previously are similar in construction to other custom droppers used by known Russian APT groups. While code and implant re-usage is commonplace in APT operations, threat groups also appropriate code from other actors. This makes attribution to a particular actor extremely difficult and sometimes unreliable. Further, it is becoming more commonplace for threat actors to implement false flags in their attacks, intended to throw off investigators.
An analysis of the code DNA indicates that the following samples contain TEARDROP code:
Typically, a collaboration of all evidence points such as code DNA, IP infrastructure, strategic and geopolitical aspects of the campaign can help to solidify attribution. Even with the convergence of all available forensic evidence, without seeing an individual’s fingers on the keyboard, definitive attribution can be difficult to make. In this operation, all of the available evidence points towards a single Russian APT group. While there has been national reporting of a separate campaign by a Chinese APT actor leveraging vulnerabilities with SolarWinds products, we do not have any evidence that would support such a finding. The evidence that we have analyzed, the code DNA of TEARDROP, the targeting of the
Q: How many SolarWinds customers received the TEARDROP payload?
A: Our data from connection analysis (network flow) indicates that a minimum of 400 entities were impacted. Meaning these entities made connections to TEARDROP C2s between November 2019 to December 2019 from our analysis.
Q: How was the tracing of the existence of TEARDROP conducted?
A: We traced the existence of TEARDROP implants based on several factors:
Q: What is the significance of the Teardrop components being reused from 2017?
A: The significance can be interpreted in two ways:
Q: Can you identify more victims than have already been publicly identified?
A: We believe it is counterproductive to publicly identify specific companies that are victims of malicious attacks and espionage.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.