When the Hackers Got Hacked: SolarWinds Hack Explained
- March 26, 2021
- Posted by: Muhammad Afaq Khan, CCIE #9070
- Category: Cybersecurity
If you didn’t know, the SolarWinds hack was not one of, but the most sophisticated software supply chain attack to ever occur. SolarWinds hackers enjoyed unfettered access to thousands of SolarWinds customers worldwide for 9 months. They could have continued it for even longer if not for the unforced error on their part where they tried to breach the cybersecurity firm FireEye.
SolarWinds and PRODAFT Report
A Swiss cybersecurity firm says it was able to access servers used by a hacking group, named Silverfish, tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The company, known as Proactive Defense Against Future Threats or PRODAFT, also made some startling revelations about the hackers including the news that they have continued with their campaign even through March 2021. This is a story of hackers getting hacked themselves, Karma coming full circle, or something taken out of a Hollywood movie.
So, in this article, I want to discuss some key takeaways from PRODAFT’s research report on SolarWinds hackers and share some of the juicy details they uncovered on one of the world’s most notorious cybercriminal organizations in history. Now, PRODAFT researchers said they were able to break into the hackers’ computers and go through evidence of a massive campaign between August and March. The aim of the hacking group, described as Silverfish by the researchers, was to spy on victims and exfiltrate data. So, here are the top 5 takeaways.
Scope of the Attack
The scope of the attack. We learned from the disclosure made at the time of the hack, in mid-December 2020, that 18000 SolarWinds customers downloaded the trojanized SolarWinds Orion software update. There has been plenty of hand waving like someone said 250 organizations have been breached, White House said 100, but no specific number has been shared by anyone as to how many customers were hacked. But this report puts out a very specific number on the actual customers that were backdoored and that is 4720. As per SolarWinds, the Orion install base includes 300,000 total customers worldwide. So, if the 4720 number is to be believed, we’re talking about only 1.5% of the install base which makes it an extremely targeted hack. Just to be clear, the report doesn’t say what portion of 4720 was hacked.
The target regions or geographies. The only thing we know, as far as geographies are concerned, is the distribution of the SolarWinds install base. PRODAFT says that about half of the targets, or 2465, we’re located in the US. Another one-third were located in Europe. Approximately half of the victims were witnessed to be corporations that have a market capitalization of more than 100 million USD. It seems that over 90% of the organizations targeted were small-to-medium cap public companies with yearly revenues less than $10B. They also claim that nearly all critical infrastructures, as defined in the NIST Cybersecurity framework have been successfully compromised. Another interesting data point that I found buried inside the report was a list of banned countries. The banned list consists of 12 countries that were part of the former USSR, we’re talking about countries like Armenia, Belarus, Kazakhstan, Russia, Ukraine, and so on. Just to be clear, hackers were actively filtering out victims located in these 12 countries.
Enterprise as Sandbox
Using Enterprise victims as a real-life sandbox. The hackers were using malware detection sandbox formed by actual enterprise victims, which enabled them to test their malicious payloads on actual live victim servers with different enterprise AV and EDR solutions, perhaps to guarantee a high success rate for a quote and quote non-sandbox or live servers. The attackers were using a web panel to periodically test their malicious payloads on more than 6000 victim devices, scripts, and implants.
The details about the hackers. PRODAFT found out that hackers consisted of multiple teams working together as part of the campaign. The executed commands and specially crafted scripts used by the APT group strongly indicate sophistication and an advanced post-exploitation skillset. Another interesting finding was the level of hierarchy found on the C&C server, perhaps to enable management of different targets, assignment of these targets to different groups, and triaging incoming victims to appropriate APT group members. They also found information that suggested that hackers were mostly working Monday to Friday between the hours of 8 am to 8 pm UTC. If you work as a Cybersecurity professional, be sure to share this with your boss when he wants to be on that 1 am call next time. Just kidding but more on that later.
The phases of the hacking campaign. It appears that the APT group carried out their hacking campaign in three waves. During the first wave, threat actors mostly infected enterprise companies and government entities in the US. The second wave of attacks was carried out during the late part of October, followed by the third wave around mid-January 2021. PRODAFT’s finding shows a totally quiet period in early November 2020 and until a month after the SolarWinds hack was publicly disclosed so in total about two and a half months. As per PRODAFT, the hacking activity and data exfiltration are expected to continue throughout this year and that’s some shocking news.
There is plenty of technical details in the report that I didn’t cover, but I strongly believe that this behind-enemy-lines sort of discovery will become an important benchmark in terms of understanding the capabilities of the APT actors, their RoE, and TTPs. There is also a private version of this report exclusively shared with cybercrime organizations.
One of the most striking things from this report is the level of organization and work ethics displayed by the threat actor. They were highly skilled, well-funded, and had a clearly defined mission. This ups the ante on the Cybersecurity professionals and the entire ecosystem dedicated to protecting and safeguarding the critical infrastructure. While we have yet to see what the ultimate fallout from the SolarWinds hack will be, it is clear all organizations would benefit from re-examining their current third-party security risk strategy. I sincerely hope that it happens soon.
THANK you for reading this article, I hope you found it helpful. I’d love to hear your thoughts.
Author:Muhammad Afaq Khan, CCIE #9070
0 (0) Today, we live in a world where there is nothing, and I mean nothing, off the limits for cyberattacks and particularly ransomware attacks. Our hospitals, our universities, oil pipelines, and now even our meat is under cyberattack. The cyberattack that flattened the IT operations at JBS Foods over the weekend turns out was […]
0 (0) Ransomware has been a growing menace for years, but there has been a marked increase, during the recent months, in sophistication and level of innovation in this portion of the cybercrime underbelly. If you didn’t know, cybercrime comes in many different types, such as email and internet fraud, identity theft, financial theft like […]
0 (0) It’s time to check your Pulse. I mean your Pulse Connect Secure VPN appliance. Hackers have been exploiting several previously known and one zero-day vulnerabilities affecting Pulse Connect Secure aka PCS VPN appliances. They are targeting defense, government, and financial organizations around the world. According to FireEye, several threat actors have been exploiting […]
5 (2) OK, we now have another supply chain attack that could become the next big hack. When April fools’ jokes were being published online, one company known as Codecov discovered something that was far from a joke. So, who is Codecov? Codecov is one of the many DevOps tools out there. It provides hosted […]
5 (2) So, what is Ethical Hacking? Well, it is hacking ethically. OK, that was not helpful. There are two types of hacking, white hat hacking, black hat hacking. They use similar tools and have similar goals, so then what is the difference. Well, there is one big difference and that has to do with […]
How useful was this post?