SolarWinds Campaign Even Wider Than First Thought

Uploaded on 2021-04-28 in TECHNOLOGY--Hackers, NEWS-News Analysis, GOVERNMENT-National, FREE TO VIEW

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. The catastrophic SolarWinds security incident involved the compromise of the IT software vendor's network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst

Now researchers have now uncovered eighteen additional command-and-control servers used in the SolarWinds hacking campaign, indicating that the operation was broader in scope than previously known.  The researchers found that this infrastructure was registered under varying names and at different times over several years to avoid establishing a traceable pattern. 

The White House, together with the UK government, has blamed the attacks on state-backed Russian cyber criminals, the  APT29 group otherwise known as Cozy Bear.

The servers, which the hackers used to communicate with infected machines and send additional malware to them, may help point investigators to previously unidentified victims, according to researchers with RiskIQ’s Atlas Team. Investigators had previously identified about three dozen command-and-control servers used in the operation. The new findings expand that infrastructure by more than half. 

RiskIQ also uncovered  evidence that two servers previously identified as part of the hackers’ infrastructure were active on February 27, 2020, evidently pushing malware out to infected victims. The two servers, which used the domain names globalnetworkissues.com and seobundlekit.com, were part of the so-called “second-stage” operation that delivered additional malware to victims after they were already infected with compromised SolarWinds software.

If the two servers were pushing out second-stage malware to victims in February, this raises the possibility that either a previously unknown version of the SolarWinds software was compromised and infected customers in February, or the attackers were pushing second-stage malware to victims who had been infected in some other way, not through the compromised SolarWinds software. 

RiskIQ say that their findings will "likely lead to newly identified targets." US-CERT was made aware of RiskIQ's findings prior to public disclosure. 

CERT CISA:     SolarWinds:      Risk IQ:      ZDNet:     Kim Zetter:      Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

 

« Better Cyber Security For Smart Devices
WEBINAR: How to fuel your DevSecOps in AWS »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Digital Gurus Recruitment

Digital Gurus Recruitment

Digital Gurus provide specialist recruitment services in areas including IT and information security

ESET

ESET

ESET provide security software for enterprises and consumers - Antivirus Software, Internet Security and Virus Protection.

GSMA - IoT Security Guidelines

GSMA - IoT Security Guidelines

GSMA has created a set of security guidelines for the benefit of service providers who are looking to develop new IoT products and services.

Cobwebs Technologies

Cobwebs Technologies

Cobwebs Technologies provide web intelligence solutions for Law Enforcement (including cybercrime), Intelligence Agencies and Federal Agencies.

Critical Infrastructures for Information and Cybersecurity (ICIC)

Critical Infrastructures for Information and Cybersecurity (ICIC)

ICIC addresses the demand for cybersecurity for National Public Sector organizations and civil and private sector organizations in Argentina.

PhishLabs

PhishLabs

PhishLabs provides 24/7 services that help organizations protect against the cyberattacks targeting their employees, their customers and their brands.

Computex Technology Solutions

Computex Technology Solutions

Computex is an IT solutions provider delivering high-performance IT infrastructure solutions from assessment and design through to implementation, security and management.

QA

QA

QA is a leading IT training provider in the UK with over 1,500 courses covering all areas of IT including Cyber Security.

Commonwealth Cybercrime Initiative (CCI)

Commonwealth Cybercrime Initiative (CCI)

The CCI unites 35 international organisations contributing to multidisciplinary programmes in Commonwealth countries. These organisations form the CCI Consortium.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

Schweitzer Engineering Laboratories (SEL)

Schweitzer Engineering Laboratories (SEL)

SEL specializes in creating digital products and systems that protect, control, and automate power systems around the world.

Cyber Management Alliance

Cyber Management Alliance

Cyber Management Alliance is closing the divide in cyberspace by bringing together the best qualities of thought leadership and operational mastery of cyber security management.

Pionen

Pionen

Pionen are a specialist information security consultancy with excellent people and proven security delivery methodologies at its core.

SecurityGen

SecurityGen

SecurityGen is a global cybersecurity start-up focused on telecom security, with a focus on 5G networks.

Information Security Officers Group (ISOG)

Information Security Officers Group (ISOG)

ISOG's mission is to strengthen information security through awareness and education programs, promoting community and fellowship among information security leaders.

Match Systems

Match Systems

Match Systems provides blockchain investigations, KYC, KYT, AML, Due Diligence and compliance services.