On Wednesday, Microsoft provided additional insights into the methodologies employed by the attackers behind the SolarWinds breach, one of the most intricate cybersecurity incidents in recent history. This deeper understanding is crucial as cybersecurity firms endeavor to gain a more definitive grasp of the attack’s sophisticated nature.
Describing the attackers as “meticulous and methodically adept,” Microsoft noted that they strategically designed the initial backdoor, known as Sunburst or Solorigate, along with subsequent implants, Teardrop and Raindrop, to operate as independently as possible. This separation was intended to complicate detection efforts.
The research team from Microsoft 365 Defender Research, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) emphasized the meticulous planning and execution behind the Solorigate attack, which allowed the perpetrators to remain elusive while ensuring their continued access.
While the precise identities of the groups referred to as StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Palo Alto Networks), and Dark Halo (Volexity) remain undisclosed, U.S. government officials have previously linked the espionage operation to a suspected Russian origin.
Complex Techniques for Evasion
According to Microsoft’s documented timeline, the fully operational Sunburst DLL backdoor was compiled and deployed onto SolarWinds’ Orion platform on February 20, leading to its distribution through compromised updates in late March. Following an extensive reconnaissance phase that lasted nearly two months, the attackers gathered intelligence without being detected, setting the stage for deploying Cobalt Strike implants in May and removing Sunburst from SolarWinds’ build environment by June 4.
Despite careful planning, Microsoft indicated that determining the specifics of the transition from Sunburst to Raindrop has remained elusive. Notably, the attackers seemed to separate the execution of the Cobalt Strike loader from the SolarWinds processes as a significant operational security (OpSec) measure. This tactic was designed to shield the compromised SolarWinds binary from detection, thus protecting the integrity of the supply chain attack from which it originated.
Microsoft reported that the attack utilized multiple vectors but fundamentally relied on the trojanized SolarWinds software at its core. The compromise featured several layers of operational security, such as employing unique Cobalt Strike DLL implants on individual systems, disguising malicious tools to resemble existing files on the affected machines, and manipulating event logging settings to evade scrutiny during active exploitation.
The attackers also created tailored firewall rules to limit outgoing traffic during loud network activities, ensuring that their surveillance efforts blended seamlessly into the network’s normal traffic. They executed lateral movement only after disabling security services on target machines and reportedly used timestomping techniques to alter timestamps of certain artifacts, further concealing their malicious activities.
Integrating Security Frameworks
Microsoft characterized the SolarWinds attack as both advanced and commonplace, pointing out that while the overall strategy was complex, many of the employed tactics were not uncommon in cyberattacker toolkits. Microsoft advocates that to mitigate similar threats moving forward, organizations should consider adopting a “zero trust mentality.” This approach stresses the importance of minimal privilege access and the implementation of multi-factor authentication.
Alex Weinert, Director of Identity Security at Microsoft, stated that the attackers exploited broad access permissions, often going beyond role necessities, which significantly compromised organizational security. As businesses increasingly confront sophisticated threats, the necessity of adopting robust security measures becomes paramount to minimizing risks and preventing future breaches.
