Microsoft researchers say a second unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated...
Microsoft researchers say a second unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign, as the number of victims in the attack rose to 200.
The second backdoor, dubbed SUPERNOVA by security experts, appears distinct from the SUNBURST attack that has been attributed to Russia, raising the possibility that multiple adversaries were attempting parallel attacks, perhaps unbeknownst to each other.
It comes after President Donald Trump contradicted members of his own administration to suggest that China may be behind the sprawling attack, which compromised key federal agencies.
'The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,' Microsoft said in a security blog on Friday.
The second backdoor is a piece of malware that imitates SolarWinds' Orion product but it is not 'digitally signed' like the other attack, suggesting this second group of hackers did not share the same access to the network management company's internal systems.
Chinese leader Xi Jinping is seen with Russian President Vladimir Putin. There is now evidence two adversaries compromised SolarWinds products, after Trump contradicted his own secretary of state to suggest China, rather than Russia was to blame
Microsoft's headquarters is seen above. The company says a second a second unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign
Microsoft identified the types of targets compromised in the attack in the above graphic
It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file's compile times.
The SUNBURST backdoor was first deployed in March, though the same group behind it appears to have tampered with SolarWinds products as early as October 2019.
In past breaches, security researchers have found evidence that more than one suspected Russian hacking group penetrated the same system, duplicating their efforts in a way that suggested each did not know what the other was doing.
One such case was the breach of the Democratic National Committee's servers in 2016, when CrowdStrike researchers found evidence that Russian hacking groups dubbed Fancy Bear and Cozy Bear had both broken into the system.
It's also possible that the SUPERNOVA and SUNBURST attacks represent the actions of separate nations attempting to use SolarWinds products to penetrate other high-value U.S. targets.
In a statement, a SolarWinds spokesman did not address SUPERNOVA, but said the company 'remains focused on collaborating with customers and experts to share information and work to better understand this issue.'
'It remains early days of the investigation,' the spokesman said.
Hackers used malicious code inserted into legitimate products from SolarWinds to target hundreds of high-value targets. Above, the company's Texas headquarters is seen
A graphic shows how the SUNBURST attack unfolded in networks that were compromised
Meanwhile, cybersecurity firm Recorded Future says it has identified 198 victims of the attack who were actively compromised through the backdoor, though the final number could rise further, according to Bloomberg.
Though compromised network software from SolarWinds Corp was downloaded by nearly 18,000 customers since March, the hackers only activated their Trojan horse backdoor, dubbed SUNBURST, on a handful of high-value targets.
The researchers did not name the victims, though experts at Microsoft have said most victims were government agencies, defense contractors, and technology providers. The departments of Homeland Security, Justice, Treasury, Commerce, Energy and State are known to be among the compromised victims.
Though Secretary of State Mike Pompeo on Friday attributed the SUNBURST attack to Russia, President Donald Trump on Saturday broke his lengthy silence about the breach to suggest that China may be responsible.
'Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),' Trump said in a tweet.
Trump's assertion that China may be behind the hacking spree, runs counter to comments by Pompeo and multiple lawmakers briefed on the matter.
'We can say pretty clearly that it was the Russians that engaged in this activity,' said Pompeo on Friday in an interview. Russia has denied involvement in the attack.
Republican lawmaker Mitt Romney in a tweet on Thursday said the hack was 'like Russian bombers have been repeatedly flying undetected over our entire country.'
Donald Trump has broken his silence over the huge suspected Russian cyber attack claiming that China could be behind the attack
Trump tweeted claiming that China could be behind the attack, despite Secretary of State Mike Pompeo publicly blaming Russia the day before
Experts say that attribution of a skilled cyber breach can be difficult to pin down, and note that the tools used in the SUNBURST attack have never been seen before.
'Cyber attribution is exceptionally complex and relies on analysis not only of the tools and techniques used, but also the possible motivations,' Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told DailyMail.com.
'What evidence the US government has that points to the attack being carried out by Russia - or, for that matter, China - is unclear at this point,' he added.
The hack first came into view last week, when U.S. cybersecurity firm FireEye Inc disclosed that it had itself been a victim of the very kind of cyberattack that clients pay it to prevent.
Publicly, the incident initially seemed mostly like an embarrassment for FireEye. But hacks of security firms are especially dangerous because their tools often reach deeply into the computer systems of their clients.
Days before the hack was revealed, FireEye researchers knew something troubling was afoot and contacted Microsoft Corp and the Federal Bureau of Investigation, three people involved in those communications told Reuters. Microsoft and the FBI declined to comment.
Their message: FireEye has been hit by an extraordinarily sophisticated cyber-espionage campaign carried out by a nation-state, and its own problems were likely just the tip of the iceberg.
A heatmap shows the locations of known victims of the breach identified by Microsoft
About half a dozen researchers from FireEye and Microsoft, set about investigating, said two sources familiar with the response effort.
At the root of the problem, they found, was something that strikes dread in cybersecurity professionals: so-called supply-chain compromises, which in this case involved using software updates to install malware that can spy on systems, exfiltrate information and potentially wreak other types of havoc.
In 2017, Russian operatives used the technique to knock out private and government computer systems across Ukraine, after hiding a piece of malware known as NotPetya in a widely used accountancy program. Russia has denied that it was involved. The malware quickly infected computers in scores of other countries, crippling businesses and causing hundreds of millions of dollars of damage.
The latest U.S. hack employed a similar technique: SolarWinds said its software updates had been compromised and used to surreptitiously install malicious code in nearly 18,000 customer systems. Its Orion network management software is used by hundreds of thousands of organizations.
Once downloaded, the program signaled back to its operators where it had landed. In some cases where access was especially valuable, the hackers used it to deploy more active malicious software to spread across its host.
In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft´s Azure cloud platform - which stores customers´ data online - to forge authentication 'tokens.' Those gave them far longer and wider access to emails and documents than many organizations thought was possible.
The Pentagon was among the SolarWinds customers who received the malicious updates. Teams are now searching DoD networks for evidence of intrusion and backdoors
Los Alamos National Laboratory, which conducts the nation's most advanced nuclear research, was also a target in the massive cyber espionage campaign
Hackers could then steal documents through Microsoft's Office 365, the online version of its most popular business software, the NSA said on Thursday in an unusual technical public advisory. Also on Thursday, Microsoft announced it found malicious code in its systems.
'This is powerful tradecraft, and needs to be understood to defend important networks,' Rob Joyce, a senior NSA cybersecurity adviser, said on Twitter.
It is unknown how or when SolarWinds was first compromised. According to researchers at Microsoft and other firms that have investigated the hack, intruders first began tampering with SolarWinds' code as early as October 2019, a few months before it was in a position to launch an attack.
No comments