New analysis uncovers extensive SolarWinds attack infrastructure

Researchers believe the discovery will highlight new SolarWinds attack victims

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers that have been tracking the infrastructure footprint ofSolarWindsthreat actors claim the network of servers used in the attack is “significantly larger than previously identified”.

Back in December 2020, a massive cyber-espionage effort was discovered that tainted the software supply chain via a rigged update toSolarWinds software. Pinned on state-sponsored Russian hackers, the hack was found to have affected nine federal agencies, in addition to many private-sector companies.

There have beenseveral congressional hearingsregarding the SolarWinds hack, and the incident also led tosanctionson several Russian cybersecurity companies. However, no one has been able to determine the true extent of the hack, in part because tracing the steps of the threat actors has been quite challenging.

We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.

Click here to start the survey in a new window«

“The threat actor, identified by the U.S. government as APT29 but tracked in the private industry as UNC2452, took great pains to avoid creating the type of patterns that make tracing them easy,” said RiskIQ’s intelligence analysis team in a new report.

More targets?

According to its analysis, RiskIQ has identified an additional 18 command and control (C&C) servers that communicated with the malicious payloads that were dropped as part of the cyberattack.

In the report, RiskIQ said the attack had several stages. In the first-stage, the threat actors dropped the Sunburst backdoor, which was designed to identify, avoid, and disable differentantivirusand endpoint detection and response (EDR) products.

The second and third stages are said to have included custom droppers (now referred to as Teardrop and Raindrop) together with additional malware and a tainted version of the Cobalt Strikepentestingtool.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

RiskIQ identified the new C&C servers while analyzing the second stage of the attack. The team picked up modified Cobalt Strike beacons and then correlated them with the SSL certificates used by the SolarWinds hackers to identify the extra servers, which “will likely lead to newly identified targets".

The cybersecurity company also notes that it has already notified the US Computer Emergency Readiness Team (US-CERT) of its findings.

ViaZDNet

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

The UK government wants to help businesses make trustworthy AI products