Blog

CCIEin8Weeks > Blog > Cybersecurity > When the Hackers Got Hacked: SolarWinds Hack Explained

When the Hackers Got Hacked: SolarWinds Hack Explained

  • March 26, 2021
  • Posted by: Muhammad Afaq Khan, CCIE #9070
  • Category: Cybersecurity
No Comments
solarwinds hack explained
5
(1)

If you didn’t know, the SolarWinds hack was not one of, but the most sophisticated software supply chain attack to ever occur. SolarWinds hackers enjoyed unfettered access to thousands of SolarWinds customers worldwide for 9 months. They could have continued it for even longer if not for the unforced error on their part where they tried to breach the cybersecurity firm FireEye.

 

Table of Contents hide
1 SolarWinds and PRODAFT Report
2 Scope of the Attack
3 Target Regions
4 Enterprise as Sandbox
5 Hackers’ Details
6 Final Thoughts

SolarWinds and PRODAFT Report

A Swiss cybersecurity firm says it was able to access servers used by a hacking group, named Silverfish, tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The company, known as Proactive Defense Against Future Threats or PRODAFT, also made some startling revelations about the hackers including the news that they have continued with their campaign even through March 2021. This is a story of hackers getting hacked themselves, Karma coming full circle, or something taken out of a Hollywood movie.

So, in this article, I want to discuss some key takeaways from PRODAFT’s research report on SolarWinds hackers and share some of the juicy details they uncovered on one of the world’s most notorious cybercriminal organizations in history. Now, PRODAFT researchers said they were able to break into the hackers’ computers and go through evidence of a massive campaign between August and March. The aim of the hacking group, described as Silverfish by the researchers, was to spy on victims and exfiltrate data. So, here are the top 5 takeaways.

Scope of the Attack

The scope of the attack. We learned from the disclosure made at the time of the hack, in mid-December 2020, that 18000 SolarWinds customers downloaded the trojanized SolarWinds Orion software update. There has been plenty of hand waving like someone said 250 organizations have been breached, White House said 100, but no specific number has been shared by anyone as to how many customers were hacked. But this report puts out a very specific number on the actual customers that were backdoored and that is 4720. As per SolarWinds, the Orion install base includes 300,000 total customers worldwide. So, if the 4720 number is to be believed, we’re talking about only 1.5% of the install base which makes it an extremely targeted hack. Just to be clear, the report doesn’t say what portion of 4720 was hacked.

Target Regions

The target regions or geographies. The only thing we know, as far as geographies are concerned, is the distribution of the SolarWinds install base. PRODAFT says that about half of the targets, or 2465, we’re located in the US. Another one-third were located in Europe. Approximately half of the victims were witnessed to be corporations that have a market capitalization of more than 100 million USD. It seems that over 90% of the organizations targeted were small-to-medium cap public companies with yearly revenues less than $10B. They also claim that nearly all critical infrastructures, as defined in the NIST Cybersecurity framework have been successfully compromised. Another interesting data point that I found buried inside the report was a list of banned countries. The banned list consists of 12 countries that were part of the former USSR, we’re talking about countries like Armenia, Belarus, Kazakhstan, Russia, Ukraine, and so on. Just to be clear, hackers were actively filtering out victims located in these 12 countries.

Enterprise as Sandbox

Using Enterprise victims as a real-life sandbox. The hackers were using malware detection sandbox formed by actual enterprise victims, which enabled them to test their malicious payloads on actual live victim servers with different enterprise AV and EDR solutions, perhaps to guarantee a high success rate for a quote and quote non-sandbox or live servers. The attackers were using a web panel to periodically test their malicious payloads on more than 6000 victim devices, scripts, and implants.

Hackers’ Details

The details about the hackers. PRODAFT found out that hackers consisted of multiple teams working together as part of the campaign. The executed commands and specially crafted scripts used by the APT group strongly indicate sophistication and an advanced post-exploitation skillset. Another interesting finding was the level of hierarchy found on the C&C server, perhaps to enable management of different targets, assignment of these targets to different groups, and triaging incoming victims to appropriate APT group members. They also found information that suggested that hackers were mostly working Monday to Friday between the hours of 8 am to 8 pm UTC. If you work as a Cybersecurity professional, be sure to share this with your boss when he wants to be on that 1 am call next time. Just kidding but more on that later.

The phases of the hacking campaign. It appears that the APT group carried out their hacking campaign in three waves. During the first wave, threat actors mostly infected enterprise companies and government entities in the US. The second wave of attacks was carried out during the late part of October, followed by the third wave around mid-January 2021. PRODAFT’s finding shows a totally quiet period in early November 2020 and until a month after the SolarWinds hack was publicly disclosed so in total about two and a half months. As per PRODAFT, the hacking activity and data exfiltration are expected to continue throughout this year and that’s some shocking news.

Final Thoughts

There is plenty of technical details in the report that I didn’t cover, but I strongly believe that this behind-enemy-lines sort of discovery will become an important benchmark in terms of understanding the capabilities of the APT actors, their RoE, and TTPs. There is also a private version of this report exclusively shared with cybercrime organizations.

One of the most striking things from this report is the level of organization and work ethics displayed by the threat actor. They were highly skilled, well-funded, and had a clearly defined mission. This ups the ante on the Cybersecurity professionals and the entire ecosystem dedicated to protecting and safeguarding the critical infrastructure. While we have yet to see what the ultimate fallout from the SolarWinds hack will be, it is clear all organizations would benefit from re-examining their current third-party security risk strategy. I sincerely hope that it happens soon.

THANK you for reading this article, I hope you found it helpful. I’d love to hear your thoughts.

How useful was this post?

Follow us on social media for more posts like this one!

Thank you.

Author:Muhammad Afaq Khan, CCIE #9070

Muhammad Afaq Khan started his professional career at Cisco TAC San Jose and passed his first CCIE in 2002. He held multiple technical and management positions at Cisco HQ over his 11 years tenure at the company before moving into cloud software and data center infrastructure IT markets. He has worked at startups as well as Fortune 100 companies in senior leadership positions over his career. He is also a published author (Cisco Press, 2009) and holds multiple patents in the areas of networking, security and virtualization. Currently, he is a founder at Full Stack Networker and a vocal advocate for network automation technologies and NetDevOps. You can check his accomplishments at https://bit.ly/3qZsCLm

Leave a Reply