Threat researchers at RiskIQ’s Atlas intelligence unit have gleaned potentially crucial new insight into the infrastructure and tactics used in the SolarWinds cyber espionage campaign from the firm’s network telemetry. The researchers combined the firm’s Internet Intelligence Graph with patterns derived from indicators of compromise (IoCs) that had already been reported to surface 56% more attacker-owned network infrastructure and more than 18 previously missed command and control (C2) servers. The SolarWinds attacks, which were first uncovered in December 2020, have now been attributed with a high degree of confidence to the Russian SVR foreign intelligence unit’s Cozy Bear, or APT29 group.
Earlier in April, US president Joe Biden announced new sanctions on Moscow due to the attacks, which predominantly targeted the networks of American government agencies, but caused considerable collateral damage.
RiskIQ director of threat intelligence Kevin Livelli said that the findings came to light after the Atlas team noted some distinctive patterns in HTTP banner responses from domains and IP addresses associated with the attacks. They then correlated domains and IPs that returned specific banner response patterns with SSL certificates, periods of activity and hosting locations across the campaign’s second targeted stage to find the new infrastructure.
Livelli said this shed more light on tactics, techniques, and procedures (TTP) used by the threat actors behind the campaign, including evasive tactics and avoidance of patterns of activity to throw their pursuers off the scent – by avoiding TTP used by APT29, the group ensured that threat researchers used a variety of disparate names to refer to them – among them UNC2452, StellarParticle, Nobellium, and Dark Halo.