Microsoft researchers say a second unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign, as the number of victims in the attack rose to 200.
The second backdoor, dubbed SUPERNOVA by security experts, appears distinct from the SUNBURST attack that has been attributed to Russia, raising the possibility that multiple adversaries were attempting parallel attacks, perhaps unbeknownst to each other.
It comes after President Donald Trump contradicted members of his own administration to suggest that China may be behind the sprawling attack, which compromised key federal agencies.
‘The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,’ Microsoft said in a security blog on Friday.
The second backdoor is a piece of malware that imitates SolarWinds’ Orion product but it is not ‘digitally signed’ like the other attack, suggesting this second group of hackers did not share the same access to the network management company’s internal systems.
Chinese leader Xi Jinping is seen with Russian President Vladimir Putin. There is now evidence two adversaries compromised SolarWinds products, after Trump contradicted his own secretary of state to suggest China, rather than Russia was to blame
Microsoft‘s headquarters is seen above. The company says a second a second unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign
Microsoft identified the types of targets compromised in the attack in the above graphic
It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file’s compile times.
The SUNBURST backdoor was first deployed in March, though the same group behind it appears to have tampered with SolarWinds products as early as October 2019.
In past breaches, security researchers have found evidence that more than one suspected Russian hacking group penetrated the same system, duplicating their efforts in a way that suggested each did not know what the other was doing.
One such case was the breach of the Democratic National Committee’s servers in 2016, when CrowdStrike researchers found evidence that Russian hacking groups dubbed Fancy Bear and Cozy Bear had both broken into the system.
It’s also possible that the SUPERNOVA and SUNBURST attacks represent the actions of separate nations attempting to use SolarWinds products to penetrate other high-value U.S. targets.
In a statement, a SolarWinds spokesman did not address SUPERNOVA, but said the company ‘remains focused on collaborating with customers and experts to share information and work to better understand this issue.’
‘It remains early days of the investigation,’ the spokesman said.
Hackers used malicious code inserted into legitimate products from SolarWinds to target hundreds of high-value targets. Above, the company’s Texas headquarters is seen
A graphic shows how the SUNBURST attack unfolded in networks that were compromised
Meanwhile, cybersecurity firm Recorded Future says it has identified 198 victims of the attack who were actively compromised through the backdoor, though the final number could rise further, according to Bloomberg.
Though compromised network software from SolarWinds Corp was downloaded by nearly 18,000 customers since March, the hackers only activated their Trojan horse backdoor, dubbed SUNBURST, on a handful of high-value targets.
The researchers did not name the victims, though experts at Microsoft have said most victims were government agencies, defense contractors, and technology providers. The departments of Homeland Security, Justice, Treasury, Commerce, Energy and State are known to be among the compromised victims.
Though Secretary of State Mike Pompeo on Friday attributed the SUNBURST attack to Russia, President Donald Trump on Saturday broke his lengthy silence about the breach to suggest that China may be responsible.
‘Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),’ Trump said in a tweet.
Trump‘s assertion that China may be behind the hacking spree, runs counter to comments by Pompeo and multiple lawmakers briefed on the matter.
‘We can say pretty clearly that it was the Russians that engaged in this activity,’ said Pompeo on Friday in an interview. Russia has denied involvement in the attack.
Republican lawmaker Mitt Romney in a tweet on Thursday said the hack was ‘like Russian bombers have been repeatedly flying undetected over our entire country.’
Donald Trump has broken his silence over the huge suspected Russian cyber attack claiming that China could be behind the attack
Trump tweeted claiming that China could be behind the attack, despite Secretary of State Mike Pompeo publicly blaming Russia the day before
Experts say that attribution of a skilled cyber breach can be difficult to pin down, and note that the tools used in the SUNBURST attack have never been seen before.
‘Cyber attribution is exceptionally complex and relies on analysis not only of the tools and techniques used, but also the possible motivations,’ Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told DailyMail.com.
‘What evidence the US government has that points to the attack being carried out by Russia – or, for that matter, China – is unclear at this point,’ he added.
The hack first came into view last week, when U.S. cybersecurity firm FireEye Inc disclosed that it had itself been a victim of the very kind of cyberattack that clients pay it to prevent.
Publicly, the incident initially seemed mostly like an embarrassment for FireEye. But hacks of security firms are especially dangerous because their tools often reach deeply into the computer systems of their clients.
Days before the hack was revealed, FireEye researchers knew something troubling was afoot and contacted Microsoft Corp and the Federal Bureau of Investigation, three people involved in those communications told Reuters. Microsoft and the FBI declined to comment.
Their message: FireEye has been hit by an extraordinarily sophisticated cyber-espionage campaign carried out by a nation-state, and its own problems were likely just the tip of the iceberg.
A heatmap shows the locations of known victims of the breach identified by Microsoft
About half a dozen researchers from FireEye and Microsoft, set about investigating, said two sources familiar with the response effort.
At the root of the problem, they found, was something that strikes dread in cybersecurity professionals: so-called supply-chain compromises, which in this case involved using software updates to install malware that can spy on systems, exfiltrate information and potentially wreak other types of havoc.
In 2017, Russian operatives used the technique to knock out private and government computer systems across Ukraine, after hiding a piece of malware known as NotPetya in a widely used accountancy program. Russia has denied that it was involved. The malware quickly infected computers in scores of other countries, crippling businesses and causing hundreds of millions of dollars of damage.
The latest U.S. hack employed a similar technique: SolarWinds said its software updates had been compromised and used to surreptitiously install malicious code in nearly 18,000 customer systems. Its Orion network management software is used by hundreds of thousands of organizations.
Once downloaded, the program signaled back to its operators where it had landed. In some cases where access was especially valuable, the hackers used it to deploy more active malicious software to spread across its host.
In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft´s Azure cloud platform – which stores customers´ data online – to forge authentication ‘tokens.’ Those gave them far longer and wider access to emails and documents than many organizations thought was possible.
The Pentagon was among the SolarWinds customers who received the malicious updates. Teams are now searching DoD networks for evidence of intrusion and backdoors
Los Alamos National Laboratory, which conducts the nation’s most advanced nuclear research, was also a target in the massive cyber espionage campaign
Hackers could then steal documents through Microsoft‘s Office 365, the online version of its most popular business software, the NSA said on Thursday in an unusual technical public advisory. Also on Thursday, Microsoft announced it found malicious code in its systems.
‘This is powerful tradecraft, and needs to be understood to defend important networks,’ Rob Joyce, a senior NSA cybersecurity adviser, said on Twitter.
It is unknown how or when SolarWinds was first compromised. According to researchers at Microsoft and other firms that have investigated the hack, intruders first began tampering with SolarWinds’ code as early as October 2019, a few months before it was in a position to launch an attack.
How hackers used legitimate software updates as camouflage for the ‘SUNBURST’ attack
The hack began as early as March when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information.
It wasn’t discovered until the prominent cybersecurity company FireEye determined it had been hacked. Whoever broke into FireEye was seeking data on its government clients, the company said – and made off with hacking tools it uses to probe its customers’ defenses.
Its apparent monthslong timeline gave the hackers ample time to extract information from a lot of different targets.
FireEye executive Charles Carmakal said the company was aware of ‘dozens of incredibly high-value targets’ compromised’ by the hackers and was helping ‘a number of organizations respond to their intrusions.’
He would not name any, and said he expected many more to learn in coming days that they, too, were infiltrated.
WHAT IS SOLARWINDS?
SolarWinds, of Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
Its compromised product, called Orion, accounts for nearly half SolarWinds’ annual revenue. The company’s revenue totaled $753.9 million over the first nine months of this year.
Its centralized monitoring looks for problems in an organization’s computer networks, which means that breaking in gave the attackers a ‘God-view’ of those networks.
HOW DID IT HAPPEN?
The US Cybersecurity and Infrastructure Security Agency on Thursday released an alert detailing what it knows about the breach, which has been called the biggest in US history.
CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products.
Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.
The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.
Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.
The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult.
‘Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,’ CISA said in the alert.
CISA said that once inside a network, the hackers seemed focused on gathering information, and would frequently target the emails of IT and security staff to monitor any countermeasures.
Without offering further details, the agency warned that the hackers used ‘other initial access vectors beyond SolarWinds Orion,’ meaning even groups that do not use the network software could be compromised.