1. Home
  2. Campaigns
  3. SolarWinds Compromise

SolarWinds Compromise

The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]

ID: C0024
First Seen:  August 2019 [6]
Last Seen:  January 2021 [13]
Version: 1.1
Created: 24 March 2023
Last Modified: 03 September 2024

Groups

ID Name Description
G0016 APT29

[9][10][11]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement.[14][15]
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

During the SolarWinds Compromise, APT29 used a WMI event filter to invoke a command-line event consumer at system boot time to launch a backdoor with rundll32.exe.[15][14]
Enterprise T1213 从信息存储库获取数据

During the SolarWinds Compromise, APT29 accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.[1]
.003 Code Repositories

During the SolarWinds Compromise, APT29 downloaded source code from code repositories.[8]
Enterprise T1555 从密码存储中获取凭证

During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[15]

.003 Credentials from Web Browsers

During the SolarWinds Compromise, APT29 stole users' saved passwords from Chrome.[1]
Enterprise T1005 从本地系统获取数据

During the SolarWinds Compromise, APT29 extracted files from compromised networks.[5]
Enterprise T1090 .001 代理: Internal Proxy

During the SolarWinds Compromise, APT29 used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of Cobalt Strike to use a network pipe over SMB.[1][16]
Enterprise T1036 .004 伪装: Masquerade Task or Service

During the SolarWinds Compromise, APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.[5]
.005 伪装: Match Legitimate Name or Location

During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.[5][7]
Enterprise T1606 .001 伪造Web凭证: Web Cookies

During the SolarWinds Compromise, APT29 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.[5]
.002 伪造Web凭证: SAML Tokens

During the SolarWinds Compromise, APT29 created tokens using compromised SAML signing certificates.[17][18]
Enterprise T1550 使用备用认证材料

During the SolarWinds Compromise, APT29 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling APT29 to access enterprise cloud applications and services.[14][18]
.001 Application Access Token

During the SolarWinds Compromise, APT29 used compromised service principals to make changes to the Office 365 environment.[1]
.004 Web Session Cookie

During the SolarWinds Compromise, APT29 used stolen cookies to access cloud resources and a forged duo-sid cookie to bypass MFA set on an email account.[5][1]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

During the SolarWinds Compromise, APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.[3][4][19][15]
Enterprise T1199 信任关系

During the SolarWinds Compromise, APT29 gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.[19][1]
Enterprise T1190 利用公开应用程序漏洞

During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[5][19]
Enterprise T1568 动态解析

During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[5]

Enterprise T1140 反混淆/解码文件或信息

During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.[16]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.[5][7][1]
.003 命令与脚本解释器: Windows Command Shell

During the SolarWinds Compromise, APT29 used cmd.exe to execute commands on remote machines.[5][7]
.005 命令与脚本解释器: Visual Basic

For the SolarWinds Compromise, APT29 wrote malware such as Sibot in Visual Basic.[19]
Enterprise T1482 域信任发现

During the SolarWinds Compromise, APT29 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[5] They also used AdFind to enumerate domains and to discover trust between federated domains.[1][15]
Enterprise T1484 .002 域或租户策略修改: Trust Modification

During the SolarWinds Compromise, APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[18][14]
Enterprise T1584 .001 基础设施妥协: Domains

For the SolarWinds Compromise, APT29 compromised domains to use for C2.[20]
Enterprise T1133 外部远程服务

For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools.[20][1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products.[15]
.002 妨碍防御: Disable Windows Event Logging

During the SolarWinds Compromise, APT29, used AUDITPOL to prevent the collection of audit logs.[15]
.004 妨碍防御: Disable or Modify System Firewall

During the SolarWinds Compromise, APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.[15]
Enterprise T1071 .001 应用层协议: Web Protocols

During the SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration.[5]
Enterprise T1587 .001 开发能力: Malware

For the SolarWinds Compromise, APT29 used numerous pieces of malware that were likely developed for or by the group, including SUNBURST, SUNSPOT, Raindrop, and TEARDROP.[4][21][15]

Enterprise T1560 .001 归档收集数据: Archive via Utility

During the SolarWinds Compromise, APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; APT29 also compressed text files into zipped archives.[5][15][1]
Enterprise T1003 .006 操作系统凭证转储: DCSync

During the SolarWinds Compromise, APT29 used privileged accounts to replicate directory service data with domain controllers.[14][15][1]
Enterprise T1589 .001 收集受害者身份信息: Credentials

For the SolarWinds Compromise, APT29 conducted credential theft operations to obtain credentials to be used for access to victim environments.[1]
Enterprise T1074 .002 数据分段: Remote Data Staging

During the SolarWinds Compromise, APT29 staged data and files in password-protected archives on a victim's OWA server.[5]
Enterprise T1083 文件和目录发现

During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[5]
Enterprise T1048 .002 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

During the SolarWinds Compromise, APT29 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.[5]
Enterprise T1078 有效账户

During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally.[4][20][19]
.002 Domain Accounts

During the SolarWinds Compromise, APT29 used domain administrators' accounts to help facilitate lateral movement on compromised networks.[1]
.003 Local Accounts

During the SolarWinds Compromise, APT29 used compromised local accounts to access victims' networks.[1]
.004 Cloud Accounts

During the SolarWinds Compromise, APT29 used a compromised O365 administrator account to create a new Service Principal.[1]
Enterprise T1552 .004 未加密凭证: Private Keys

During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[14][19]
Enterprise T1069 权限组发现

During the SolarWinds Compromise, APT29 used the Get-ManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.[5]
.002 Domain Groups

During the SolarWinds Compromise, APT29 used AdFind to enumerate domain groups.[1]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[5][19]
Enterprise T1070 移除指标

During the SolarWinds Compromise, APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[4]
.004 File Deletion

During the SolarWinds Compromise, APT29 routinely removed their tools, including custom backdoors, once remote access was achieved.[4]
.006 Timestomp

During the SolarWinds Compromise, APT29 modified timestamps of backdoors to match legitimate Windows files.[15]
.008 Clear Mailbox Data

During the SolarWinds Compromise, APT29 removed evidence of email export requests using Remove-MailboxExportRequest.[5]
Enterprise T1539 窃取Web会话Cookie

During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.[1]
Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

During the SolarWinds Compromise, APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.[15]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

During the SolarWinds Compromise, APT29 used Rundll32.exe to execute payloads.[17][15]
Enterprise T1082 系统信息发现

During the SolarWinds Compromise, APT29 used fsutil to check available free space before executing actions that might create large files on disk.[15]
Enterprise T1016 .001 系统网络配置发现: Internet Connection Discovery

During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.[20]
Enterprise T1583 .001 获取基础设施: Domains

For the SolarWinds Compromise, APT29 acquired C2 domains, sometimes through resellers.[20][22]
Enterprise T1087 账号发现

During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.[5]
.002 Domain Account

During the SolarWinds Compromise, APT29 used PowerShell to discover domain accounts by exectuing Get-ADUser and Get-ADGroupMember.[1][18]
Enterprise T1098 .001 账号操控: Additional Cloud Credentials

During the SolarWinds Compromise, APT29 added credentials to OAuth Applications and Service Principals.[17][1]
.002 账号操控: Additional Email Delegate Permissions

During the SolarWinds Compromise, APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.[5][17][23]
.003 账号操控: Additional Cloud Roles

During the SolarWinds Compromise, APT29 granted company administrator privileges to a newly created service principle.[1]
.005 账号操控: Device Registration

During the SolarWinds Compromise, APT29 registered devices in order to enable mailbox syncing via the Set-CASMailbox command.[5]
Enterprise T1105 输入工具传输

During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access.[4]
Enterprise T1057 进程发现

During the SolarWinds Compromise, APT29 used multiple command-line utilities to enumerate running processes.[5][15][1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

During the SolarWinds Compromise, APT29 used RDP sessions from public-facing systems to internal servers.[1]
.002 远程服务: SMB/Windows Admin Shares

During the SolarWinds Compromise, APT29 used administrative accounts to connect over SMB to targeted users.[1]
.006 远程服务: Windows Remote Management

During the SolarWinds Compromise, APT29 used WinRM via PowerShell to execute commands and payloads on remote hosts.[16]
Enterprise T1018 远程系统发现

During the SolarWinds Compromise, APT29 used AdFind to enumerate remote systems.[15]
Enterprise T1665 隐藏基础设施

During the SolarWinds Compromise, APT29 set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure.[4]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

During the SolarWinds Compromise, APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted.[5][4][21]
Enterprise T1553 .002 颠覆信任控制: Code Signing

During the SolarWinds Compromise, APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[4]

Software

ID Name Description
S0552 AdFind

[7][1]
S0154 Cobalt Strike

[4][19]
S0597 GoldFinder

[20]
S0588 GoldMax

[20]
S0002 Mimikatz

[14][1]
S0565 Raindrop

[15][16]
S0589 Sibot

[20]
S0559 SUNBURST

[4][15][24][3][25][26]
S0562 SUNSPOT

[21]
S0560 TEARDROP

[15][26][4]
S0682 TrailBlazer

[1]

References

  1. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  2. SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.
  3. Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.
  4. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  5. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  6. Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.
  7. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  8. MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021.
  9. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  10. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  11. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.
  12. FBI, CISA, ODNI, NSA. (2022, January 5). Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). Retrieved March 26, 2023.
  13. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  1. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  2. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  3. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  4. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  5. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  6. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  7. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  8. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  9. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  10. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  11. Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021.
  12. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  13. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.