Microsoft Reports on Techniques Used by SolarWinds Hackers

Microsoft has released a report that details the techniques used by the SolarWinds threat actor. The attack included the use of malware delivery methods, anti-forensic behavior, and operational security (OPSEC).

If you are not caught up on all of the drama of the SolarWinds attack, check out our coverage of the unfolding events.

Microsoft's SolarWinds report

The threat actors behind the SolarWinds attack, who are believed to be sponsored by Russia, attacked in 2019. They used the malware strain Sundrop to put a backdoor, called Sunburst, into SolarWinds' Orion product.

Sunburst was delivered to thousands of organizations, though only a few hundred of interest to the hackers were targeted with several other pieces of malware. 

The hackers used loaders named Teardrop and Raindrop to deliver Cobalt Strike payloads to those victims.

Microsoft reports on how how the attackers were able to get Sunburst to the Cobalt Strike loaders, and how they kept the components separated as much as possible to avoid being detected:

"What we found from our hunting exercise across Microsoft 365 Defender data further confirms the high level of skill of the attackers and the painstaking planning of every detail to avoid discovery."

Microsoft also noted the attackers used an interesting technique that would ensure each compromised machine had unique indicators, like different Cobalt Strike DLL implants, folder and file names, C&C domains and IPs, HTTP requests, file metadata, and launched processes.

"Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims."

It also included a list of actions and techniques used by the hackers:

• "Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.

• In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.

• Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.

• We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments."

Microsoft is working with a variety of other cybersecurity companies to gather as much information they can from this incident to prepare for future cyberattacks.