SolarWinds: Illuminating the Hidden Patterns That Advance the Story

Though the Russian espionage campaign that compromised the SolarWinds supply chain is progressing, public-facing research into the campaign seems to have stopped. The last significant public-facing research into the SolarWinds campaign from the private industry came in March of 2021, more than a month before this publication. Since then, our collective understanding of the campaign has atrophied due primarily to the adversary's steps to thwart forensic analysis. These impediments to analysis impacted both the tactical and strategic responses to the campaign.

This gap in the analysis happened mainly because piecing together what has happened so far is exceptionally challenging. The threat actor, identified by the U.S. Government as APT29 but tracked in the private industry as UNC2452 (Nobelium, StellarParticle, Dark Halo), went to great lengths to avoid creating the type of patterns that make tracking them simple. For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them.

RiskIQ’s Team Atlas detected an additional 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware. These servers represent a 56% increase in the size of the adversary's known command-and-control footprint and will likely lead to newly identified targets after further analysis. 

Article Link: https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/