UNC2452, the Russia-linked advanced persistent threat (APT) group behind the December 2020 SolarWinds cyber attacks targeting US government agencies, probably accessed SolarWinds’ systems both through a zero-day vulnerability in Microsoft Office 365 and through a compromise of user credentials, according to new intelligence shared by SolarWinds CEO Sudhakar Ramakrishna.
The ongoing investigation into the attack has already established that UNC2452 obtained access to the SolarWinds Orion networking platform back in 2019.
Now, in a new update, Ramakrishna said the investigation is exploring a few potential theories about how the threat actors entered its environment and what they did once they got inside.
“We’re pursuing numerous theories, but currently believe the most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at-the-time zero-day vulnerability,” he said.
“Investigations are still ongoing and, given the sophistication of these attacks and the actions taken by the threat actors to manipulate our environment and remove evidence of their activities, combined with the large volumes of log and other data to analyse, our investigations will be ongoing for at least several more weeks, possibly months.”
Ramakrishna said the investigation continues to analyse data from multiple systems and logs, including its Microsoft Office 365 and Azure tenants and SolarWinds’ Security Event Manager and build environment platforms. It has not yet determined the exact date of the initial compromise, or the specific vulnerability used to access its Office 365 environment.
It has, however, found that a SolarWinds email account was compromised and used to programmatically access other targeted employees in business and technical roles to compromise further credentials, which enabled the group to access and exploit the Orion development environment to inset its malicious code.
“Research community investigations have highlighted that these nation-state operators displayed determination, patience, extremely high operational security (OpSec), and advanced tactics, techniques and procedures (TTPs),” said Ramakrishna.
They attempted to cover their tracks by: varying or disabling audit logs, timestamps and other defence measures; deleting files and programs after use to avoid forensic discovery; faking file names and activity to mimic legitimate apps and files; automating dormancy periods prior to activation; and using servers outside the jurisdiction of US intelligence agencies.
More details of the TTPs used by the group are available from SolarWinds, which also continues to take steps to prevent such an incident from ever occurring again – a second progress report on its work towards becoming “secure by design” has been published here.
In the weeks since the initial attacks were disclosed, it has emerged that a number of other cyber security firms were compromised by the same group, to the extent that the acting director of the US Cyber Security and Infrastructure Security Agency (CISA), Brandon Wales, has said that UNC2452’s activities can no longer really be referred to as the SolarWinds campaign.
This week also saw the patching of two critical vulnerabilities in the Orion platform, discovered by threat researchers at Trustwave, which could have allowed attackers to take control of their targets via SolarWinds. These CVEs are not thought to have been used by UNC2452.