Recent investigations have revealed that the threat actor responsible for the SolarWinds supply chain compromise has significantly broadened its malware arsenal. The adversary has employed new tools and techniques dating back to 2019, underscoring its capability to maintain persistent access over prolonged periods. This level of stealth demonstrates the sophistication of the campaigns and the strategic planning involved.
According to insights from cybersecurity firm CrowdStrike, the Nobelium hacking group has utilized innovative tactics in its operations. Two advanced malware families have been identified in victim environments, namely a Linux variant of GoldMax and a newly developed implant labeled TrailBlazer, deployed well before the scale of the incidents became apparent to the cybersecurity community.
Nobelium, as designated by Microsoft, is widely known for its involvement in the December 2020 SolarWinds intrusion and is tracked under various aliases by the cybersecurity community, including UNC2452 and Dark Halo. These designations reflect the group’s extensive history of cyber espionage activities tied to the Russian state, specifically the Foreign Intelligence Service, active since at least 2008.
GoldMax, also referred to as SUNSHUTTLE, is a Golang-based malware functioning as a command-and-control backdoor. This malware facilitates secure connections to remote servers, enabling the execution of commands on compromised systems. Notably, Mandiant has documented instances of Dark Halo utilizing this malware as early as August 2020, four months before SolarWinds disclosed the breach of its Orion platform.
The threat landscape further evolved when Kaspersky identified a derivative variant of the GoldMax backdoor, known as Tomiris, which targeted government entities in a CIS member state during late 2020 and early 2021. The latest revelations also highlight a previously undocumented Linux version of this malware that predates other known Samples employed on the Windows platform.
TrailBlazer, another malware introduced in tandem, operates as a modular backdoor allowing attackers avenues for cyber espionage. This tool cleverly disguises its command-and-control traffic as legitimate Google Notifications HTTP requests, enhancing its stealth and effectiveness.
In addition to sophisticated malware, the actor has exploited various other techniques to further their objectives. These include credential hopping to obscure lateral movement within networks, hijacking Office 365 Service Principals and Applications, and stealing browser cookies to bypass multi-factor authentication measures. The group has also engaged in repetitive domain credential theft over several months, employing techniques such as Mimikatz to ensure prolonged access from compromised hosts.
The evolving tactics associated with the StellarParticle campaign illustrate the actor’s extensive knowledge of both Windows and Linux operating systems, along with Microsoft Azure and Active Directory environments. The research community notes the adversary’s strategic patience and technical prowess, continuously evading detection for months, or even years, while executing their objectives.
