Check out the full breakdown of their cyber attack
Microsoft recently shared the details on how the SolarWinds hackers managed to stay undetected by hiding all their malicious activities inside breached company networks.
This piece of valuable information was shared by security experts from the Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC).
According to their reports, the Solorigate second-stage activation was done using custom Cobalt Strike loaders (Teardrop, Raindrop, and others) following the Solorigate dropping (Sunburst) DLL backdoor.
How the hackers evaded
The hackers did display an impressive set of tactics, operational security, and anti-forensic behaviour that were able to deteriorate the breached networks’ abilities to detect any sort of malicious activities.
As Microsoft itself stated, the attackers behind Solorigate are skillful and methodic operators who made sure to follow operations security (OpSec) to avoid as much detection as possible and get below the radar. Microsoft shared a few of the techniques so as to warn other defenders in case of future attacks.
- Being able to avoid host detection by deploying custom Cobalt Strike DLL on every machine.
- Renaming tools and binaries to match files and programs on the devices they have hacked, so as to blend in.
- Disabling event logging using AUDITPOL.
- Making new firewall rules for minimising outgoing packets for select protocols.
- Disabling securities before proceeding with the attack.
- Believed to have used timestomping to change the timestamps of artifacts and various tools to prevent detection of DLL implants.
A detailed timeline is given in the image shown above. The Solorigate DLL backdoor was first deployed in February, and later into compromised networks in late March. Later, the custom Cobalt Strike implants were prepared and hands-on attacks started in early May.
You may also like: Outlander season 6 updates