By now, most people know that hackers tied to the Russian government compromised the SolarWinds software build system, sending a malicious update to around 18,000 of the company's customers. On Monday, researchers released evidence that hackers from China also targeted SolarWinds customers, which was a distinctly different operation, according to security analysts.
The parallel hack campaigns have been publicly known since December when researchers found that hackers were exploiting a security flaw in SolarWinds software called Orion in addition to the supply chain attack. Hackers in the latter campaign used the exploit to install a malicious web shell called Supernova on a customer's network who was using the network administration tool. However, the researchers had little or no evidence of who carried out this attack.
On Monday, researchers said the attack was likely carried out by a China-based hacking group they called "Spiral." The finding, set out in a report released Monday by Secureworks' Counter Threat Unit, is based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise that researchers discovered on the same network had.
Attacked on more than one front
The finding follows that China-based hackers known as hafnium are one of at least five groups of hackers behind attacks that have installed malicious web shells on tens of thousands of Microsoft Exchange servers. Monday's report shows that there is no shortage of APTs – short for advanced hackers for persistent threats – that are determined to target a wide range of US-based organizations.
"At a time when everyone is looking for HAFNIUM webshells because of the Exchange zero-days we learned about last week, SPIRAL's activity is a reminder that businesses are being beaten up on more than one front," said Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne, said in a direct message. The report is "a reminder of the diversity and breadth of the APT ecosystem".
Researchers at the Counter Threat Unit said they encountered Supernova in November while responding to a customer network hack. Like other malicious web shells, Supernova was installed after the attackers successfully gained the ability to run malicious code on the target's systems. The attackers then used Supernova to send commands that stole passwords and other data that allowed access to other parts of the network.
Secureworks' CTU researchers previously believed that the speed and surgical precision of movement within the target network indicated that Spiral had prior experience with it. Then researchers noticed similarities between the November hack and one the researchers uncovered in August 2020. The attackers in the previous hack likely first gained access as early as 2018 by exploiting a vulnerability in a product known as ManageEngine ServiceDesk it said.
"CTU researchers were initially unable to assign August activity to known threat groups," the researchers wrote. "However, the following similarities with the SPIRAL intrusion in late 2020 suggest that the SPIRAL threat group was responsible for both intruders:"
- The threat actors used identical commands to secure the LSASS process via comsvcs.dll and used the same output file path (see Figure 6).Enlarge /. LSASS process dump from August 2020 with an identical command as in November 2020.
- The same two servers were accessed: a domain controller and a server that could provide access to sensitive business information.
- The same path "c: userspublic" (in lower case only) was used as the working directory.
- Three compromised administrator accounts were used in both interventions.
The CTU researchers already knew that Chinese hackers had exploited MangeEngine servers to gain long-term access to networks of interest. However, that alone was not enough to establish that Spiral originated in China. Researchers became more confident on the connection after discovering that the hackers accidentally disclosed one of their IP addresses in August. It has been geolocated to China.
The hackers revealed their IP address when they stole the endpoint detection software that Sercureworks sold to the hacked customer. For some unclear reason, the hackers then ran the security product on one of their computers. At this point it revealed its IP address when it contacted a Secureworks server.
The hacker's computer naming convention was the same as that of another computer the hackers had used when they connected to the network through a VPN. Taken together, the evidence gathered by CTU researchers gave them confidence that both hacks were carried out by the same group and that the group was based in China.
"Similarities between activities related to SUPERNOVA in November and activities that CTU researchers analyzed in August suggest that the SPIRAL threat group was responsible for both interventions," wrote CTU researchers. "The characteristics of these interventions suggest a possible link to China."