The SolarWinds cyberattack, which unfolded last December, has been recognized for its intricate methods of penetrating and maintaining a presence within targeted systems. Microsoft has characterized the involved threat actors as “skillful and methodic operators” committed to employing operational security best practices to evade detection.
Recent research has uncovered evidence indicating that the actors meticulously orchestrated each phase of the attack to obscure detectable patterns, complicating forensic investigations. By analyzing telemetry data linked to known indicators of compromise, RiskIQ identified an additional 18 servers with high confidence, indicating communications with secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, which signifies a notable increase in the attacker’s command-and-control capabilities.
This complexity became apparent following a formal attribution of the supply chain breach to the Russian Foreign Intelligence Service (SVR) by U.S. intelligence agencies. The compromise of SolarWinds software reportedly enabled the group known as APT29, also referred to as Cozy Bear, to spy on or disrupt over 16,000 computer systems globally.
Within the cybersecurity community, various names have surfaced to track these attacks, including UNC2452, Nobelium, SolarStorm, StellarParticle, and Dark Halo. These designations highlight differences in the tactics and techniques utilized by the adversary, distinguishing them among known attacker profiles, particularly APT29.
Research indicates that entities accustomed to detecting APT29 activities may struggle to recognize this campaign both in real-time and retrospectively. This finding aligns with earlier observations that the initial backdoor, SUNBURST, and subsequent implants, TEARDROP and RAINDROP, were engineered to remain as distinct entities, minimizing detection risks and shrouding the underlying SolarWinds compromise.
RiskIQ’s analysis has shed light on several tactics employed by APT29 to cover its tracks. This includes purchasing domains through third-party resellers and auction platforms to obscure ownership. Their early-stage infrastructure was predominantly hosted in the U.S., while subsequent stages transitioned primarily to foreign locations, a strategy designed to complicate attribution efforts. Additionally, they crafted their malware to vary significantly between stages, thus avoiding recognizable signatures and patterns.
Furthermore, the initial SUNBURST backdoor was designed to communicate with its command-and-control servers using random intervals after two weeks, likely aimed at evading traditional event logging practices seen in many endpoint detection systems. This behavior reflects a sophisticated approach to persistence and evasion tactics from the MITRE ATT&CK framework.
Identifying a threat actor’s infrastructure typically relies on correlating IP addresses and domains with known campaigns to reveal patterns. However, the steps taken by APT29 suggest a meticulous effort to prevent such pattern formation, complicating the detection process for cybersecurity professionals.
