RiskIQ, a leader in Internet Security Intelligence, announced that RiskIQ’s Team Atlas, its threat intelligence analysis team, leveraged the company’s unique network telemetry to reveal new infrastructure and tactics used in the SolarWinds cyber espionage campaign.
By combining the company’s Internet Intelligence Graph with patterns derived from previously reported indicators of compromise, RiskIQ’s Team Atlas surfaced 56% more attacker-owned network infrastructure, including more than a dozen newly identified command-and-control servers. The findings will likely help identify new victims of the campaign, attributed last week by the United States intelligence community to the Russian intelligence Service (SVR).
The findings came to light when RiskIQ’s Team Atlas researchers noted distinct patterns in the HTTP banner responses from domains and IP addresses associated with the incident. The team then correlated domains and IPs returning specific banner response patterns with specific SSL certificates, periods of activity, and hosting locations across the campaign’s second, more targeted stage to reveal additional attacker-owned servers.
With this information, RiskIQ shed more light on the tactics, techniques, and procedures (TTPs) used by the threat actor in this campaign, including clever evasion of American authorities and a meticulous avoidance of patterns to keep researchers off their trail. Although the U.S. government attributed the campaign to APT29, the private industry refers to the threat actor responsible under disparate names, including UNC2452, StellarParticle, Nobelium, and Dark Halo, because the TTPs did not match those of previous APT29 operations.
“Researchers or products attuned to detecting known APT29 activity would fail to recognize the campaign as it was happening,” said RiskIQ Director of Threat Intelligence and [member] of RiskIQ’s Team Atlas, Kevin Livelli. “They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign.”
Examples of pattern avoidance by APT29 included in the RiskIQ report include:
- Purchasing domains via 3rd party resellers and at domain auctions, thereby obscuring ownership information and repurchasing expired domains at different time intervals over multiple years.
- Hosting the first-stage infrastructure entirely in the U.S., hosting second-stage infrastructure primarily within the U.S., and hosting third-stage infrastructure mainly outside the U.S.
- Designing the malware used in each stage to appear dramatically different. Third-stage malware was designed to look completely different from the second-stage malware, which, in turn, looked nothing like the first-stage malware.
- Engineering the first-stage implant to beacon to its command-and-control servers with random jitter after two weeks to outlive the typical lifespan of event logging on most host-based EDR products.
“Identifying a threat actor’s attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns,” Livelli said. “However, our analysis shows the group took extensive measures to throw researchers off their trail.
The APT29 infrastructure uncovered by RiskIQ resulted in a more complete and context-rich view of the previously identified command-and-control infrastructure. Visit the company’s Threat Intelligence Portal for the comprehensive analysis and list of IOCs uncovered in the investigation.