Threat researchers at RiskIQ’s Atlas intelligence unit have gleaned potentially important new insight into the infrastructure and tactics used in the SolarWinds cyber espionage campaign from the firm’s network telemetry.
The researchers combined the firm’s Internet Intelligence Graph with patterns derived from indicators of compromise (IoCs) that had already been reported to surface 56% more attacker-owned network infrastructure, and more than 18 previously missed command and control (C2) servers.
The SolarWinds attacks, which were first uncovered in December 2020, have now been attributed with a high degree of confidence to the Russian SVR foreign intelligence unit’s Cozy Bear, or APT29 group.
Earlier in April, US president Joe Biden announced new sanctions on Moscow as a result of the attacks, which predominantly targeted the networks of American government agencies, but caused considerable collateral damage.
RiskIQ director of threat intelligence Kevin Livelli said that the findings came to light after the Atlas team noted some distinctive patterns in HTTP banner responses from domains and IP addresses associated with the attacks. They then correlated domains and IPs that returned specific banner response patterns with SSL certificates, periods of activity, and hosting locations across the campaign’s second targeted stage to find the new infrastructure.
Livelli said this shed more light on tactics, techniques and procedures (TTPs) used by the threat actors behind the campaign, including evasive tactics and avoidance of patterns of activity to throw their pursuers off the scent – by avoiding TTPs used by APT29, the group ensured that threat researchers used a variety of disparate names to refer to them – among them UNC2452, StellarParticle, Nobellium and Dark Halo.
“Identifying a threat actor’s attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns,” said Livelli. “However, our analysis shows the group took extensive measures to throw researchers off their trail.
“Researchers or products attuned to detecting known APT29 activity would fail to recognise the campaign as it was happening. They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign.”
Some of the obfuscation tactics used by APT29 included the purchase of domains through third parties and at auction to obscure ownership information, and repurchasing expired domains at different times; hosting its first- and second-stage infrastructure entirely, and mostly, within the US; designing the malwares used in each stage to appear very different; and engineering the first-stage implant to call out to its C2 servers with random jitter after a fortnight, to elude event-logging.
RiskIQ said the new Cozy Bear infrastructure they have found means investigators can now benefit from a more “complex and context-rich view” of the SolarWinds attacks. More information, including IoCs, is available here.
The discoveries are significant as they expand the scope of the ongoing investigations into the SolarWinds attacks, and may very well lead to the discovery of more compromised targets. The US authorities have been informed of the team’s findings.