On December 18, 2020, SecurityScorecard was the first company to publish original research finding, amongst other things, that the SolarWinds attack began in October 2019, at least 5 months earlier than initially suspected. Subsequently, Microsoft and Palo Alto Networks each validated and have continued to validate our findings.
SecurityScorecard’s Investigations & Analysis Team continues to conduct research to learn as much as possible about the attacker and identify additional victims or potential victims before they are attacked. Our additional research has concluded the following:
- The attack occurred in 2 stages. The first stage was for reconnaissance purposes. The second stage of this attack involved a malware called TEARDROP, which was loaded into the targeted victims’ environment and used to dynamically search and profile the victims’ systems and networks.
- SecurityScorecard traced the existence of TEARDROP back to at least 2017 based on malware creation dates. It was likely not created primarily for use in the SolarWinds attack.
- While we can’t identify specific victim organizations, the vast majority of victims (over 95%) were in the United States. Considering the global footprint of SolarWinds customers, this prevalence indicates the attackers’ motivation to target the U.S. and supports the view that the SolarWinds attack was an espionage campaign directed at the U.S. Government and private sector companies.
- SecurityScorecard’s research supports the conclusion of a single Advanced Persistent Threat (APT) group most likely of Russian origin.
We have included a short FAQ section at the end to further clarify our ongoing research.
How the Attack was Executed
- The SolarWinds attack occurred in two stages. First, the attacker placed a piece of malware now known as SUNBURST (or “Solarigate” as Microsoft refers to it) into SolarWinds' Orion platform and its associated products. At least 18,000 of their customers downloaded compromised versions of SolarWinds’ products for nearly a year, and at least 400 of them were victimized.
- The second stage of the attack involved a malware called TEARDROP, which was loaded into the targeted victims’ environment and used to dynamically search and profile the victims’ systems and networks.
- We conclude that the code base for TEARDROP was not created primarily for use in the SolarWinds attack. Rather, it was likely used in unknown previous operations. We traced the existence of TEARDROP to at least 2017. It has been found in publicly available compilations of malicious code discovered and shared by the security community.
SecurityScorecard undertook its own investigation of the SolarWinds attack beginning in December 2020 to improve our ability to identify malicious activity for the benefit of the millions of organizations we rate. We are publishing our findings again because information-sharing is critical to improve the country’s defensive capabilities.
The SolarWinds attack occurred in two stages. First, the attacker placed a piece of malware now known as SUNBURST within the SolarWinds updates for its Orion platform (SolarWinds.Orion.Core.BusinessLayer.dll). This malware was downloaded by SolarWinds customers and allowed to install itself on the victims’ systems due to its valid security certificate.
SUNBURST performed basic reconnaissance for the attacker, identifying systems that were of interest to the attacker. The attacker was then able to use a customized dropper, TEARDROP – a malicious DLL (dynamic link library) file that is delivered via the SUNBURST Trojan as one of the payloads – to install a similarly customized version of a common tool called Cobalt Strike on the systems of interest. Cobalt Strike, which is used by ethical hackers and criminals alike, allowed the attacker to find and exfiltrate data of interest from the victims’ systems.
In this case, we identified that the method for implementing a stream cipher algorithm to encrypt Cobalt Strike is unique (i.e., this is not taken from a common Windows library). Further, Cobalt Strike is encrypted via an XOR based stream cipher as a buffer inside the TEARDROP malware binary. The buffer is decrypted and loaded into memory on the targeted victim’s system using a stream cipher algorithm. The beacon now essentially lives in memory without ever touching the system’s hard drive (also known as a FileLess attack). Additionally, this stream cipher code is a unique implementation by the malware author that also indicates another unique fingerprint we can track. As we analyzed the malware further, we found that the way Cobalt Strike is loaded into Windows process memory depends on the CPU architecture (x86 or x64). For 64bit systems it is loaded directly into %windir%\sysnative\print.exe that is found to be a legitimate Windows process.
This technique of process injection is typically used by malware droppers to hide subsequent code in trusted processes. This is notable since the malware was implanted through expected SolarWinds updates using a valid SolarWinds digitally authenticated certificate. The attacker took advantage of the trust model implicit in signed software certificates. The “valid” certificate allowed the attackers to be a step ahead since the victims’ security controls would not flag the TEARDROP implant as malicious and exfiltration traffic from the SolarWinds servers. Instead, it was seen as legitimate and expected behavior by SolarWinds software. The digital certificate system is a trust mode, but it may be time to move to a “trust but verify” model using sumchecking technology, and to verify that software contains only that code which the software builder has created.
SecurityScorecard traced back the existence of TEARDROP-related code to at least 2017, according to executable file timestamps and in-the-wild submission dates on publicly available malware analysis platforms. This suggests that TEARDROP was not created primarily for use in the SolarWinds attack, rather this implant has been used in previous unknown operations.
Malware creation time-stamp data (from VirusTotal)
- The attackers targeted the U.S. and the U.S. government.
We wanted to better understand who the victims of this attack were and where they were located as this would provide more geo-political insight into the potential motivations of the attacker. We examined DNS requests and NetFlow information to understand the connections made to the known TEARDROP command and control (C2) infrastructure. Again, APT actors often reuse infrastructure so the traffic signature of the C2 infrastructure could provide additional attribution evidence.
From our analysis of DNS requests made to the known TEARDROP malware C2 infrastructure, it was clear that an overwhelming majority of the connections originated from infected systems within the United States. Since SolarWinds claimed to have over 250,000 customers globally, this prevalence in the United States demonstrates motivation in the placement of the second stage implant and allows us to infer that the attacker was interested in U.S.-based organizations.
Network connection requests to TEARDROP C2s
Short List of Suspects
- Upon review of the currently available forensic technical data and the observed Techniques, Tactics, and Procedures (TTPs) of the attacker we believe that this attacker was Russian in origin due to the specific code reused in the primary dropper TEARDROP and the targeted aspect of the victims.
- Others in the community have connected elements of TEARDROP to a Russian APT group, and we have no reason to believe that is inaccurate.
- To date, we have identified only this singular campaign with no evidence of additional APT groups being involved.
- We did not find any evidence that would suggest that the malware involved was linked to cyber-crime operators.
- We cannot rule out the possibility of false flags introduced by the threat actor to make the operation look like another group was responsible.
- Some of the infrastructure from a link analysis perspective had some overlaps with other types of threats, but APTs often use shared infrastructure (i.e., hosting or utilizing cyber-criminal infrastructure).
The value of attribution is to understand the adversary’s intent and capabilities. This helps organizations to properly identify anomalous activity, understand the impact, and implement defensive measures to mitigate the risk.
When analyzing any malware, we often look for unique code or the implementation of shared code to look for unique fingerprints. Nevertheless, attribution is difficult and technical data alone does not always indicate who is behind the attacks. The elements of code DNA in common with TEARDROP that were discovered previously are similar in construction to other custom droppers used by known Russian APT groups. While code and implant re-usage is commonplace in APT operations, threat groups also appropriate code from other actors. This makes attribution to a particular actor extremely difficult and sometimes unreliable. Further, it is becoming more commonplace for threat actors to implement false flags in their attacks, intended to throw off investigators.
An analysis of the code DNA indicates that the following samples contain TEARDROP code:
Typically, a collaboration of all evidence points such as code DNA, IP infrastructure, strategic and geopolitical aspects of the campaign can help to solidify attribution. Even with the convergence of all available forensic evidence, without seeing an individual’s fingers on the keyboard, definitive attribution can be difficult to make. In this operation, all of the available evidence points towards a single Russian APT group. While there has been national reporting of a separate campaign by a Chinese APT actor leveraging vulnerabilities with SolarWinds products, we do not have any evidence that would support such a finding. The evidence that we have analyzed, the code DNA of TEARDROP, the targeting of the
Frequently Asked Questions
Q: How many SolarWinds customers received the TEARDROP payload?
A: Our data from connection analysis (network flow) indicates that a minimum of 400 entities were impacted. Meaning these entities made connections to TEARDROP C2s between November 2019 to December 2019 from our analysis.
Q: How was the tracing of the existence of TEARDROP conducted?
A: We traced the existence of TEARDROP implants based on several factors:
- Code relationship analysis (did the public IOCs for TEARDROP match any other samples previously unattributed). This is more of a DNA analysis of pivots being made from public IOCs to suspected samples, in this case we found code overlaps with samples compiled in 2017 and 2018 indicating these other TEARDROP variants used code from the publicly known versions.
- Command & Control Infrastructure being registered early 2019 / late 2018.
- Other Open Source Intelligence (OSINT) mapped to private intelligence collections.
Q: What is the significance of the Teardrop components being reused from 2017?
A: The significance can be interpreted in two ways:
- That the planning and execution of SolarWinds occurred much earlier than established dates (this is often the case with many APT intrusions) and would support Microsoft’s position that this attack required significant resources to execute.
- The implant was originally used in previous, undisclosed APT attacks which would indicate it is being recycled for the SolarWinds attack. We are continuing to conduct research to discover any previous use of the TEARDROP components prior to SolarWinds.
Q: Can you identify more victims than have already been publicly identified?
A: We believe it is counterproductive to publicly identify specific companies that are victims of malicious attacks and espionage.