When the Hackers Got Hacked: SolarWinds Hack Explained
- March 26, 2021
- Posted by: Muhammad Afaq Khan, CCIE #9070
- Category: Cybersecurity
If you didn’t know, the SolarWinds hack was not one of, but the most sophisticated software supply chain attack to ever occur. SolarWinds hackers enjoyed unfettered access to thousands of SolarWinds customers worldwide for 9 months. They could have continued it for even longer if not for the unforced error on their part where they tried to breach the cybersecurity firm FireEye.
SolarWinds and PRODAFT Report
A Swiss cybersecurity firm says it was able to access servers used by a hacking group, named Silverfish, tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The company, known as Proactive Defense Against Future Threats or PRODAFT, also made some startling revelations about the hackers including the news that they have continued with their campaign even through March 2021. This is a story of hackers getting hacked themselves, Karma coming full circle, or something taken out of a Hollywood movie.
So, in this article, I want to discuss some key takeaways from PRODAFT’s research report on SolarWinds hackers and share some of the juicy details they uncovered on one of the world’s most notorious cybercriminal organizations in history. Now, PRODAFT researchers said they were able to break into the hackers’ computers and go through evidence of a massive campaign between August and March. The aim of the hacking group, described as Silverfish by the researchers, was to spy on victims and exfiltrate data. So, here are the top 5 takeaways.
Scope of the Attack
The scope of the attack. We learned from the disclosure made at the time of the hack, in mid-December 2020, that 18000 SolarWinds customers downloaded the trojanized SolarWinds Orion software update. There has been plenty of hand waving like someone said 250 organizations have been breached, White House said 100, but no specific number has been shared by anyone as to how many customers were hacked. But this report puts out a very specific number on the actual customers that were backdoored and that is 4720. As per SolarWinds, the Orion install base includes 300,000 total customers worldwide. So, if the 4720 number is to be believed, we’re talking about only 1.5% of the install base which makes it an extremely targeted hack. Just to be clear, the report doesn’t say what portion of 4720 was hacked.
The target regions or geographies. The only thing we know, as far as geographies are concerned, is the distribution of the SolarWinds install base. PRODAFT says that about half of the targets, or 2465, we’re located in the US. Another one-third were located in Europe. Approximately half of the victims were witnessed to be corporations that have a market capitalization of more than 100 million USD. It seems that over 90% of the organizations targeted were small-to-medium cap public companies with yearly revenues less than $10B. They also claim that nearly all critical infrastructures, as defined in the NIST Cybersecurity framework have been successfully compromised. Another interesting data point that I found buried inside the report was a list of banned countries. The banned list consists of 12 countries that were part of the former USSR, we’re talking about countries like Armenia, Belarus, Kazakhstan, Russia, Ukraine, and so on. Just to be clear, hackers were actively filtering out victims located in these 12 countries.
Enterprise as Sandbox
Using Enterprise victims as a real-life sandbox. The hackers were using malware detection sandbox formed by actual enterprise victims, which enabled them to test their malicious payloads on actual live victim servers with different enterprise AV and EDR solutions, perhaps to guarantee a high success rate for a quote and quote non-sandbox or live servers. The attackers were using a web panel to periodically test their malicious payloads on more than 6000 victim devices, scripts, and implants.
The details about the hackers. PRODAFT found out that hackers consisted of multiple teams working together as part of the campaign. The executed commands and specially crafted scripts used by the APT group strongly indicate sophistication and an advanced post-exploitation skillset. Another interesting finding was the level of hierarchy found on the C&C server, perhaps to enable management of different targets, assignment of these targets to different groups, and triaging incoming victims to appropriate APT group members. They also found information that suggested that hackers were mostly working Monday to Friday between the hours of 8 am to 8 pm UTC. If you work as a Cybersecurity professional, be sure to share this with your boss when he wants to be on that 1 am call next time. Just kidding but more on that later.
The phases of the hacking campaign. It appears that the APT group carried out their hacking campaign in three waves. During the first wave, threat actors mostly infected enterprise companies and government entities in the US. The second wave of attacks was carried out during the late part of October, followed by the third wave around mid-January 2021. PRODAFT’s finding shows a totally quiet period in early November 2020 and until a month after the SolarWinds hack was publicly disclosed so in total about two and a half months. As per PRODAFT, the hacking activity and data exfiltration are expected to continue throughout this year and that’s some shocking news.
There is plenty of technical details in the report that I didn’t cover, but I strongly believe that this behind-enemy-lines sort of discovery will become an important benchmark in terms of understanding the capabilities of the APT actors, their RoE, and TTPs. There is also a private version of this report exclusively shared with cybercrime organizations.
One of the most striking things from this report is the level of organization and work ethics displayed by the threat actor. They were highly skilled, well-funded, and had a clearly defined mission. This ups the ante on the Cybersecurity professionals and the entire ecosystem dedicated to protecting and safeguarding the critical infrastructure. While we have yet to see what the ultimate fallout from the SolarWinds hack will be, it is clear all organizations would benefit from re-examining their current third-party security risk strategy. I sincerely hope that it happens soon.
THANK you for reading this article, I hope you found it helpful. I’d love to hear your thoughts.
Author:Muhammad Afaq Khan, CCIE #9070
5 (1) The United States is home to the world’s most iconic cybersecurity companies such as Palo Alto Networks, Fortinet, FireEye, CrowdStrike, McAfee, Tanium and I can go on and on but here is the point. Despite being at the cutting edge of cybersecurity technologies, US enterprises and the government get successfully targeted and hacked […]
5 (1) If you need more reasons to dive into a Cybersecurity career, here are a few pieces of information to consider. Gartner says that the cybersecurity spending is expected to reach $123 billion and continue to grow at about 10% each year for another 8 years. Just for context. At 10,000 feet, the cybersecurity […]
5 (1) The global Cybersecurity market is worth $202B today and is expected to reach a whopping $433B by 2030. The cyber security market consists of five major segments and those are network security and endpoint, threat detection and intelligence, identity access management or IAM, data and cloud security, encryption, and cryptography, and a few […]
5 (1) If you didn’t know, the SolarWinds hack was not one of, but the most sophisticated software supply chain attack to ever occur. SolarWinds hackers enjoyed unfettered access to thousands of SolarWinds customers worldwide for 9 months. They could have continued it for even longer if not for the unforced error on their part […]
5 (1) Another week, and another hack. If the SolarWinds and Microsoft Exchange hacks were not enough, F5 to the rescue. With a high-severity vulnerability, a patch-ASAP-grade, you can bet attackers reacted like sharks that smell blood in the water. Just for some historical context, a similarly critical remote code execution or RCE vulnerability in […]