MITRE's ATT&CK team - with the assistance of contributors - has been mapping techniques related to a recent intrusion campaign, referred to as NOBELIUM by Microsoft, by a threat group referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, and more recently attributed to the existing APT29/Cozy Bear/The Dukes threat group by Mandiant, NSA, CISA, and FBI.
It's been difficult keeping up with all the reporting and updates while trying to track down descriptions of adversary behavior, particularly as we're looking for direct analysis of intrusion data rather than derivative reporting. To that end, we're sharing a list of the reports and alerts we've been following to date. This list doesn't include everything that has been said about this intrusion, but rather those reports directly analyzing intrusion data, with a focus on describing adversary behavior. If you're interested in what ATT&CK techniques we've spotted so far from UNC2452 and the SUNBURST/TEARDROP malware, you can see our current ATT&CK Navigator layer, or download it directly. We've been updating what's new and being updated in ATT&CK in our blog.
If you see a report you think we're missing that matches the above, we'd be interested in hearing about it through email at attack@mitre.org, Twitter DM to @mitreattack, or directly through this repo.
- Tracking UNC2452-Related Reporting
- Checkpoint
- CrowdStrike
- Department of Homeland Security/Cybersecurity and Infrastructure Security Agency (DHS/CISA)
- DomainTools
- FireEye/Mandiant
- Kaspersky
- McAfee
- Microsoft
- National Security Agency (NSA)
- Netresec
- Palo Alto
- ReversingLabs
- SolarWinds
- Symantec
- UK National Cyber Security Centre (NCSC)
- US Senate Select Committe on Intelligence (SSCI)
- US White House
- Volexity
- Yahoo
- Analysis of the SUNBURST backdoor and its TEARDROP payload with a focus on their obfuscation and control flow.
- Released 22 December 2020
- https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/
- CrowdStrike, through its work with SolarWinds, identified what it refers to as the SUNSPOT implant, which was used to inject the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. CrowdStrike is tracking this intrusion under the "StellarParticle" activity cluster.
- Released 11 January 2021
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- CISA and FBI released a joint alert on Russia's Foreign Intelligence Service (SVR) cyber operations in light of the 15 April White House announcement attributing the SolarWinds compromise to the SVR. The alert provides information on some of the SVR's tools, targets, techniques, and capabilities to help network defenders investigate related activity and better secure their networks.
- Released 26 April 2021
- https://us-cert.cisa.gov/ncas/alerts/aa21-116a
- CISA released a Malware Analysis Report for SOLARFLARE/GoldFinder and SUNSHUTTLE/GoldMax malware.
- Released 15 April 2021
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a
- CISA created a central page related to the Russian Foreign Intelligence Service's (SVR) targeting of US and Allied networks; the page includes a summary of CVEs SVR actors are exploiting, related alerts, Malware Analysis Reports for SUNBURST and TEARDROP, and remediation guidance for networks affected by this campaign.
- CISA released a table of tactics, techniques, and procedures (TTPs) used by UNC2452 in the SolarWinds and Active Directory/M365 compromise. The table is desiged to help network defenders detect and remediate this activity by pairing tactics and techniques with corresponding detection recommendations.
- CISA created a centralized guidance page for conducting a risk/impact assessment, with corresponding remediation recommendations, for federal agencies, critical infrastructure operators, and private organizations. In the "Threat Actor Activity" section, CISA confirmed the attackers also gained initial access via password guessing (T1110.001) and password spraying (T1110.003), in addition to the supply chain compromise.
- CISA released two Malware Analysis Reports (MAR) for SUNBURST and TEARDROP respectively.
- CISA issued an accompanying Alert to AA20-352a that addresses additional TTPs attributed to the same actor. The Alert notes techniques unrelated to compromised SolarWinds Orion products the APT actor may have used to obtain initial access, and provides a list of detection tools and methods.
- Released 8 January 2021 (Updated 4 February 2021)
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- On 5 January 2021, CISA, FBI, NSA, and ODNI issued a joint statement that noted the SolarWinds intrusion was "likely Russian in origin" and to date fewer then 10 US government organizations had been compromised, however the investigation is ongoing.
- On 23 December, CISA announced its creation of a new Supply Chain Compromise website related to what CISA describes as an ongoing intrusion.
- CISA is periodically updating this alert regarding observed TTPs and mitigation recommendations; as of 19 December 2020 CISA noted evidence of initial access vectors other than the SolarWinds Orion platform.
- Released 17 December 2020 (Updated 8 February 2021)
- https://us-cert.cisa.gov/ncas/alerts/aa20-352a
- CISA is also updating Emergency Directive 21–01, including corresponding guidance, as more information about the attack becomes available.
- Released 13 December 2020 (Updated 6 January 2021)
- https://cyber.dhs.gov/ed/21-01/#supplemental-guidance
- An analysis of the network C2 infrastructure used by the SUNBURST malware along with timeline information gathered from DomainTools' passive DNS.
-
Blog post describing Mandiant's decision to merge the UNC2452 threat group into the pre-exisitng APT29 group. It also includes additional behaviors related to the group.
- Released 27 April 2022
- https://www.mandiant.com/resources/unc2452-merged-into-apt29
-
SUNSHUTTLE malware analysis report describing a newly-reported second-stage backdoor with links to UNC2452. SUNSHUTTLE is a Go-based backdoor that can generate fake traffic and responds to a number of commands from a C2 over HTTPS. This report was released in parallel with Microsoft's NOBELIUM report, which refers to this malware as GoldMax.
-
Blog post describing a number of adversary tactics, techniques, and procedures observed from UNC2452. The March 18th update added information about a new behavior, the threat actors modifying the permissions of mailbox folders.
- Released 19 January 2021 (Updated 18 March 2021*)
- https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html
-
An in-depth analysis of the SUNBURST backdoor with a focus on anti-analysis environment checks and blocklists, domain generation algorithm and variations, command and Control (C2) behaviors for DNS A and CNAME records, and malware modes of operation.
- Released 24 December 2020
- https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
-
FireEye's initial report on UNC2452, SUNBURST malware, and TEARDROP malware, containing observed TTPs, detection opportunities, and mitigation recommendations.
-
A repository of countermeasures against malware related to the UNC2452 Solarwinds compromise. Note: this repository contains signatures and indicators for the COSMICGALE and SUPERNOVA malware, which was originally combined with information from the UNC2452 Solarwinds compromise but was separated out as an unrelated intrusion on 16 December 2020.
- Released 13 December 2020 (Updated 21 December 2020)
- https://github.com/fireeye/sunburst_countermeasures
-
In a broader context, it's also worth bearing in mind the theft of FireEye's Red Team tools, as disclosed in early December. This theft was later linked to UNC2452 in Kevin Mandia's SSCI testimony.
- Malware analysis identifying potential overlaps between the Sunburst backdoor and a previously identified .NET backdoor known as Kazuar. Kazuar was first reported by Palo Alto in 2017 and was tentatively linked to the Turla APT group, although no solid attribution link has been made.
- Released 11 January 2021
- https://securelist.com/sunburst-backdoor-kazuar/99981/
- McAfee Labs' analysis of SUNBURST malware.
- Released 17 December 2020
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/
- Introduction of NOBELIUM as the threat actor group name and includes analysis of three recently discovered pieces of malware: GoldMax - a RAT written in Go that can generate decoy network traffic (named by FireEye as SUNSHUTTLE), Silbot - malware that maintains persistence and can download and execute arbitrary payloads from a C2 server, and GoldFinder - another Go-based tool that can map out hops and proxies to a given C2 server.
- In-depth analysis of how the actors moved from SUNBURST/Solorigate to TEARDROP and RAINDROP to Cobalt Strike, and measures taken to reduce chances of detection.
- Updated information on the known extent of Solorigate activity within Microsoft with some new details on actor behavior.
- Released 31 December 2020
- https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
- An overview of the "Solorigate" cyber intrusion targeted at users of Microsoft 365 Defender containing some new details of post-compromise activity.
- A central list of Microsoft’s posts/reports/other hunting resources related to the “NOBELIUM” intrusion.
- Released 21 December 2020 (Updated 4 March 2021)
- https://aka.ms/nobelium
- Detailed descriptions of attack patterns against identity mechanisms and visible indications of compromise to identity vendors and consumers.
- Detailed analysis of Solorigate (SUNBURST) malware, including a reference at the end of this report regarding a separate DLL (SUPERNOVA) Microsoft concludes was not part of this intrusion.
- New hunting and detection queries for Azure Sentinel.
- Released 16 December 2020 (Updated 15 January 2021)
- https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095
- An overview of the “solorigate” cyber intrusion and a frequently updated list of most of the public Microsoft posts/reports related to it targeted at customers.
- Released 13 December 2020 (Updated 21 December 2020)
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- Microsoft’s initial report describing key early activities in the intrusion at a high level.
- Released 13 December 2020
- https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
- NSA issued a joint cybersecurity advisory, along with DHS/CISA and the FBI, regarding recent Russian SVR cyber activities, including the SolarWinds compromise. The advisory cites CVEs exploited as well as observed techniques, and provides mitigation guidance.
- NSA issued a related cybersecurity advisory regarding detecting abuse of authentication mechanisms, including TTPs for gaining access to a victim network's cloud resources.
- Additional details of the DNS-based C2 protocol used by the SUNBURST malware, with a focus on the "stage 2" CNAME-based protocol.
- Released 18 February 2021
- https://www.netresec.com/?page=Blog&month=2021-02&post=Targeting-Process-for-the-SolarWinds-Backdoor
- Technical details of SUNBURST DNS queries with information about a bit set by the malware to indicate that it is ready for a new C2 domain. This bit may be usable from passive DNS queries to determine what stage of intrusion a system progessed to.
- A timeline summary of this intrusion based on publicly-available information as well as Palo Alto's internal data.
- Released 23 December 2020
- https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/
- ReversingLabs' analysis of how the attackers compromised the SolarWinds Orion software release process by blending in with the affected code base, mimicking the developer's coding style and naming standards.
- Released 16 December 2020
- https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth
- SolarWinds provided an update on its investigation that included an attack timeline and initial references to the SUNSPOT implant.
- Released 11 January 2021
- https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
- SolarWinds 8-K filings related to their security incident that include unique details on how their Orion Platform products were modified.
- SolarWinds is updating its security advisory as new information becomes available, including which products are and are not known to be affected.
- Released 13 December 2020 (Updated 29 January 2021)
- https://www.solarwinds.com/securityadvisory
- The fourth and final report on SUNBURST's command and control, focusing on how the malware sends data back to the attackers through HTTP(S) POST requests.
- Analysis of a new piece of malware, Raindrop, which was deployed laterally in intrusions and used for loading Cobalt Strike. Also describes a credential dumper designed specifically for SolarWinds Orion databases similar to the open source "solarflare" tool.
- Describes the control flow via DNS for the Sunburst backdoor's command and control.
- Analysis of how the Sunburst backdoor's domain generation algorithm (DGA) was used to initiate contact with the attackers’ command and control servers.
- Released 7 January 2021
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga
- Describes a number of defense evasion techniques used by the Sunburst backdoor.
- Analysis of the Sunburst backdoor and its Teardrop payload along with a description of some post-compromise behaviors from analysis of a victim computer.
- Released 14 December 2020 (Updated 16 December 2020)
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
- The UK NCSC published an alert stating Russia's SVR was responsible for the SolarWinds compromise, in addition to other cyber intrusions. The alert included links to NCSC guidance, including "Dealing with the SolarWinds Orion compromise" and "Identifying suspicious credential usage".
- Released 15 April 2021
- https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise
- Opening statements from FireEye CEO Kevin Mandia, Microsoft President Brad Smith, CrowdStrike CEO George Kurtz, and SolarWinds CEO Sudhakar Ramakrishna during the SSCI open hearing, "Hearing on the Hack of U.S. Networks by a Foreign Adversary".
- Released 23 February 2021
- https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf
- https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf
- https://www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-022321.pdf
- https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf
- The US White House released a fact sheet titled, "Imposing Costs for Harmful Foreign Activities by the Russian Government", that included the formal attribution of the SolarWinds Orion software compromise to Russia's SVR. The announcement also mentioned financial sanctions against six Russian technology companies that provide support to Russian intelligence cyber operations.
- Volexity tied the SolarWinds Orion software compromise to a threat group it tracks as "Dark Halo"; this report focuses on command-line actions taken post-compromise at a US-based think tank over the course of three Dark Halo intrusions, starting in late 2019.
- Reporting by Kim Zetter that incudes details on UNC2452 enrolling a mobile device into FireEye's multi-factor authentication system in order to authenticate to the FireEye VPN.
- Released 18 December 2020
- https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html
©2021 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 20-00841-19.