Researchers shed more light on APT29 activity during SolarWinds attacks

Threat Researcher Risk IQ Atlas The Intelligence Unit has gathered potentially important new insights from the company’s network telemetry regarding the infrastructure and tactics used in the SolarWinds cyber espionage campaign.

Researchers are in the company Internet intelligence graph Using a pattern derived from Trace of Intrusion (IoC), which has already been reported to have increased network infrastructure owned by attackers by 56% and missed command and control (C2) servers before over 18. I will.

SolarWinds AttackFirst discovered in December 2020, it is now said to have high credibility with the Russian SVR foreign intelligence agency Cozy Bear (APT29 Group).

US President Joe Biden in early April Announcing new sanctions in Moscow It caused considerable collateral damage, primarily as a result of attacks targeting networks of US government agencies.

Kevin Livelli, RiskIQ Director of Threat Intelligence, said the findings revealed after the Atlas team noticed some characteristic patterns in HTTP banner responses from domains and IP addresses associated with the attack. Said. We then found a new infrastructure by associating domains and IPs that return specific banner response patterns with SSL certificates, duration of activity, and hosting locations across the second target stage of the campaign.

Livelli said this will shed light on the tactics, techniques and procedures (TTPs) used by the threat actors behind the campaign. This includes avoidance tactics and avoiding activity patterns to keep trackers away from the scent. We have ensured that threat researchers use a variety of different names to refer to them – Among them, UNC2452, StellarParticle, Nobellium, Dark Halo.

“To determine the footprint of an attacker’s attack infrastructure, we typically need to associate IPs and domains with known campaigns to detect patterns,” Livelli said. “But according to our analysis, the group has taken extensive steps to get researchers out of the way.

“Researchers and products accustomed to detecting known APT29 activity cannot recognize the campaign when it is running. Discovering the trajectory of the campaign can be just as painful. Therefore, SolarWinds. I knew very little about the later stages of the campaign. “

The obfuscation tactics used in APT29 included buying domains at third parties and auctions to hide ownership information, and repurchasing expired domains at different times. It was. The first and second stage infrastructure is fully and mostly hosted in the United States. Design the malware used at each stage to look very different. Then, to avoid event logging, design the first stage implant to call the C2 server with random jitter after 2 weeks.

RiskIQ said the new Cozy Bear infrastructure they discovered meant that investigators could benefit from a more “complex and contextual view” of SolarWinds attacks. Detailed information including IoC, You can get it from here..

These findings are important for expanding the scope of ongoing investigations into SolarWinds attacks and can lead to the discovery of more endangered targets. US officials are informed of the team’s findings. Researchers shed more light on APT29 activity during SolarWinds attacks

Back to top button