New information regarding the SolarWinds breach that affected thousands of organizations indicates the scope of the attack is much larger than originally thought.
Researchers from RiskIQ published a report today that dives into new analysis of the situation. They found the Sunburst/Solorigate backdoor was designed to detect and avoid a variety of security products—in particular, antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure—in the first stage of infection.
Here is how they describe what is currently happening:
"The Russian espionage campaign that compromised the SolarWinds supply chain is progressing, yet public-facing research into the campaign is not. That's in part because piecing together what happened so far is exceptionally challenging. The threat actor, identified by the U.S. government as APT29 but tracked in the private industry as UNC2452, took great pains to avoid creating the type of patterns that make tracing them easy. For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them."
New information regarding SolarWinds
Researches made a few key findings through their analysis of the SolarWinds attack.
They mention that the "network infrastructure footprint of the SolarWinds espionage campaign is significantly larger than previously identified in U.S. government and private industry reporting."
Specifically, they have identified 18 additional servers that likely communicated with victims and/or secondary Cobalt Strike payloads via TEARDROP and RAINDROP. This is a 56% increase in the size of the attackers' known footprint and could lead to newly identified targets.
Researchers also found the investigation into the incident was not as smooth as it could have been, noting two main inhibitors:
- "The use of U.S.-based infrastructure in the first stage, which effectively blocked or limited pursuit by the NSA; and
- Highly skilled measures to avoid creating patterns typically identified and tracked by threat hunters."
Stay tuned for updates as more information surrounding the SolarWinds hack becomes available.