The malware that was utilised to hack SolarWinds checked to see whether software used to compile the firm's Orion product was running before deploying its payload, according to Crowdstrike.
In a blog post late last night, the infosec firm said the Orion-targeting malware, which it codenamed Sunspot, had "several safeguards" to ensure its deployment of compromised code into new Orion builds didn't trigger SolarWinds' suspicions.
Orion is SolarWinds' network management software and was in wide use by a number of companies and governments. The breach first came to light when the illicit access was used to gain entry into FireEye’s networks.
In a detailed technical analysis, Crowdstrike said: "The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers."
StellarParticle is Crowdstrike's codename for whoever developed the malware. While nobody has yet made a firm public attribution, Kaspersky advanced the theory that the Sunspot malware shared features with nasties emitted by the Turla crew – who have previously been linked to the Russian state. An early attribution by the Washington Post linked the malware to APT29, a known Russian hacking group, though American government officials have so far not confirmed that. It does appear to be the most likely explanation based on evidence in the public domain to date.
Crowdstrike said when Sunspot detected “the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built.” It added: “The malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector.”
To prevent detection, Sunburst’s creators “included a hash verification check” to ensure the injected malicious code “is compatible with a known source file”. Once the build process was complete, Sunburst waited for MsBuild.exe to exit “before restoring the original source code and deleting the temporary InventoryManager.bk file” containing its malicious code, now compiled into the Orion product.
SolarWinds itself, in a related post, said the malicious people behind the malware had accessed its systems in September 2019, begun testing its access a week later and conducted a two month "trial run" without being detected. The Sunburst malware was deployed on 20 February 2020 and removed on 4 June last year.
It took until 12 December for SolarWinds to realise that its build systems had been compromised to distribute signed, malicious updates to its customers. Three days after notification the company issued a patch for Orion, but the damage had long been done by then.
May have been used twice before
SolarWinds also said in its lengthy blog post that the malware may have been used on other occasions before the FireEye compromise.
"To date," said the firm, "we have identified two previous customer support incidents during the timeline referenced above that, with the benefit of hindsight, we believe may be related to SUNBURST. We investigated the first in conjunction with our customer and two third-party security companies. At that time, we did not determine the root cause of the suspicious activity or identify the presence of the SUNBURST malicious code within our Orion Platform software."
Kaspersky Lab autopsies evidence on SolarWinds hackREAD MORE
The second instance took place in November last year, "and similarly, we did not identify the presence of the SUNBURST malicious code," said SolarWinds.
The malware, having been used to compromise FireEye, prompted a panicked wave of reactions across the Western world once it was discovered. The US CISA infosec agency ordered American government agencies to disconnect SolarWinds appliances from their networks, while Orion is known to be in widespread use by the British government.
Public attention was drawn to the sale of hundreds of millions of dollars of SolarWinds shares by two US venture capital firms days before news of the hack was announced. Both firms involved, Silver Lake and Thoma Bravo, deny wrongdoing; insider trading is a criminal offence. Based on SolarWinds' own timeline, the two investors sold up before SolarWinds itself was aware of the hack: two days after the sale, the company announced it was taking on a new CEO; three days later, the hack was discovered; five days later the world was told. Sometimes there is such a thing as coincidence. ®