RiskIQ’s Atlas Threat Intelligence Analysis Team Illuminates New Patterns and 56% More Threat Infrastructure Used in the SolarWinds Cyber Espionage Campaign
April 22, 2021San Francisco, CA, April 22, 2021 – RiskIQ, a leader in Internet Security Intelligence, announced that RiskIQ’s Team Atlas, its threat intelligence analysis team, leveraged the company’s unique network telemetry to reveal new infrastructure and tactics used in the SolarWinds cyber espionage campaign.
By combining the company’s Internet Intelligence Graph with patterns derived from previously reported indicators of compromise, RiskIQ’s Team Atlas surfaced 56% more attacker-owned network infrastructure, including more than a dozen newly identified command-and-control servers. The findings will likely help identify new victims of the campaign, attributed last week by the United States intelligence community to the Russian intelligence Service (SVR).
The findings came to light when RiskIQ’s Team Atlas researchers noted distinct patterns in the HTTP banner responses from domains and IP addresses associated with the incident. The team then correlated domains and IPs returning specific banner response patterns with specific SSL certificates, periods of activity, and hosting locations across the campaign’s second, more targeted stage to reveal additional attacker-owned servers.
With this information, RiskIQ shed more light on the tactics, techniques, and procedures (TTPs) used by the threat actor in this campaign, including clever evasion of American authorities and a meticulous avoidance of patterns to keep researchers off their trail. Although the U.S. government attributed the campaign to APT29, the private industry refers to the threat actor responsible under disparate names, including UNC2452, StellarParticle, Nobelium, and Dark Halo, because the TTPs did not match those of previous APT29 operations.
"Researchers or products attuned to detecting known APT29 activity would fail to recognize the campaign as it was happening," said RiskIQ Director of Threat Intelligence and [member] of RiskIQ’s Team Atlas, Kevin Livelli. "They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign."
Examples of pattern avoidance by APT29 included in the RiskIQ report include:
- Purchasing domains via 3rd party resellers and at domain auctions, thereby obscuring ownership information and repurchasing expired domains at different time intervals over multiple years.
- Hosting the first-stage infrastructure entirely in the U.S., hosting second-stage infrastructure primarily within the U.S., and hosting third-stage infrastructure mainly outside the U.S.
- Designing the malware used in each stage to appear dramatically different. Third-stage malware was designed to look completely different from the second-stage malware, which, in turn, looked nothing like the first-stage malware.
- Engineering the first-stage implant to beacon to its command-and-control servers with random jitter after two weeks to outlive the typical lifespan of event logging on most host-based EDR products.
"Identifying a threat actor's attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns," Livelli said. "However, our analysis shows the group took extensive measures to throw researchers off their trail.
The APT29 infrastructure uncovered by RiskIQ resulted in a more complete and context-rich view of the previously identified command-and-control infrastructure. Visit the company's Threat Intelligence Portal for the comprehensive analysis and list of IOCs uncovered in the investigation.
About RiskIQ’s Team Atlas
RiskIQ’s Team Atlas is an elite group of threat hunters who leverage RiskIQ’s unique tech stack and global collection network to illuminate the full extent of attacker infrastructures across the Internet, helping cyber defenders identify and better understand current and past breaches. Recently, RiskIQ’s Team Atlas built on publications on Solarwinds, Fin7, APT33, and Cobalt Strike to substantially improve visibility into these threat actor infrastructures. RiskIQ’s Team Atlas will continue to publish high-fidelity network indicators and analyze the broader implications of threat actor campaigns, their business context, and their geopolitical underpinnings to deliver meaningful tactical and strategic intelligence for practitioners and executives.
RiskIQ is a leader in digital attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75% of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by security teams, CISO’s, and more than 100,000 security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect the business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, NationalGrid Partners, and MassMutual Ventures.
© 2021 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.
Front Lines Media