Threat actor behind an extensive SolarWinds supply-chain attack that hit multiple US government agencies, as well as a number of private businesses, including FireEye and Microsoft, reportedly conducted a test run of the cyber-espionage campaign last year.
Citing people familiar with the matter, Yahoo News reported that attackers deployed malicious files from the SolarWinds network in October 2019, five months prior to previously reported files were sent to victims via the company’s software update server. As opposed to the SolarWinds 2020 hack these malicious files did not contain a backdoor and went undetected until December 2020.
“We’re thinking they wanted to test whether or not it was going to work and whether it would be detected. So it was more or less a dry run,” a source familiar with the investigation said. “They took their time. They decided to not go out with an actual backdoor right away. That signifies that they’re a little bit more disciplined and deliberate.”
“This tells us the actor had access to SolarWinds’ environment much earlier than this year. We know at minimum they had access Oct. 10, 2019. But they would certainly have had to have access longer than that,” the source said. “So that intrusion [into SolarWinds] has to originate probably at least a couple of months before that — probably at least mid-2019 [if not earlier].”
The malicious files were discovered on systems of several victims, however, investigators so far have not found evidence that these files were used to conduct any malicious activity on compromised machines. Five months later, the attackers deployed new malicious files to the SolarWinds software update servers that installed a backdoor on victim networks allowing the hackers to directly access them.
The security firm FireEye was first to report a security breach that resulted in theft of its Red Team security tools. Charles Carmakal, senior vice president and chief technology officer at Mandiant, FireEye’s incident response arm, did not say when exactly the breach took place, however, he noted that “the attackers were not in his company for the full eight months between when the malicious software updates first were made available for customers to download from the SolarWinds server and the time that FireEye discovered the breach.”
Carmakal told Yahoo News that the intrusion was discovered after the attackers enrolled a device into FireEye’s multifactor authentication system, which FireEye employees use to remotely sign into the company’s VPN. They then registered their device with the FireEye network to obtain the unique codes triggering FireEye’s security system that issued an automatic alert the company’s security team that an unknown device allegedly belonging to the firm’s employee was registered to the company’s multifactor authentication system.
“They had to provide credentials to authenticate [their device] to the [multifactor authentication system] in order to authenticate to the FireEye VPN,” Carmakal said. “It was the process the attacker followed to enroll in the MFA solution which is what generated the alert. But at this point the attacker already had the employee’s username and password.”
A subsequent investigation revealed that the hackers had gained access to the network via malicious SolarWinds software.
Carmakal didn’t say how the hackers obtained the credentials after that or how many employee credentials they stole.