In this post, we will summarize news on the SolarWinds hack from Microsoft’s perspective.

Microsoft updates posts in place but maintains the original date of the post. In many instances, Microsoft also includes revision histories on its posts. In the notes below, we list sources by their original post date.

Dec 13, 2020 1, 2

  • Described the attacker as a nation-state
  • Used the term Solorigate for the malware (FireEye and SolarWinds use the term SUNBURST)
  • Described steps taken by the attacker to use the SolarWinds compromise
  • Detailed how the compromise enables the attacker to obtain permissions to Office365 email
  • Published IOCs
  • Recommended defenses for organizations using SolarWinds Orion

Dec 15, 2020 3, 4

  • Released threat intelligence for Azure Defender
  • Announced that starting Dec 16, that Microsoft Defender (endpoint protection suite) will begin blocking SolarWinds binaries known to contain SUNBURST

Dec 16, 2020 5

  • Posted tutorial post-compromise hunting of attacker activity using Azure Sentinel (cloud-based SIEM)

Dec 17, 2020 6

  • Asserted that nation-state actors are becoming more sophisticated and determined
  • Indicated that 40 customers in 8 countries had been targeted by the malware and notified (by Microsoft)

Dec 18, 2020 7, 8, [[^msft20201218-3]

  • Recommended steps to protect customers with Microsoft cloud deployments from on-premise compromises
  • Published a threat analytics report on the SUNBURST

Dec 21, 2020 9, 10, 11

  • Identified mechanisms to identify SUNBURST IOCs for Identity providers and their customers
  • Posted steps to recover from systemic identity compromises
  • Created a one-stop-shop resource center for defensive responses related to SUNBURST

Dec 22, 2020 12

  • Recommended step to unearth indicators of compromise using Azure Monitor (a telemetry collection and monitoring service)

Dec 28, 2020 13

  • Published a guide on using Microsoft 365 Defender (endpoint and cloud access protection suite) to identify, investigate and respond to SUNBURST

Dec 31, 2020 14

  • Declared that the nation-state actor had breached Microsoft’s internal systems to the point of viewing Microsoft’s code-base(s) using compromised Microsoft-internal accounts

Jan 18, 2021 15

  • Published a deep dive analysis on the inner workings of SUNBURST (similar to FireEye’s analysis)
  • Identified an additional backdoor for Orion but unrelated to SUBURST or UNC2452; it is unclear if this backdoor is the same as SUPERNOVA previously reported by SolarWinds

Jan 19, 2021 16

  • Advised customers to use a zero trust security model to limit damage from future versions of the SolarWinds hack

Jan 20, 2021 17, 18

  • Documented the handover from SUNBURST (the original malware) to TEARDROP or RAINDROP a secondary malware that eventually loads Cobalt Strike; UNC2452 separated the loading of Cobalt Strike from SUNBURST (and Orion) to reduce the probability of a defender detecting SUNBURST
  • Noted various elements of operarational security demonstrated by UNC2452

Feb 14, 2021 19, 20

  • Claimed that UNC2452 deployed more than 1000 engineers for the SolarWinds hack
  • Declared that SUNBURST comprised of 4,032 lines of code

Feb 18, 2021 21, 22

  • Confirmed that UNC2452 downloaded code for components of Azure, Intune (mobile device manager), and Exchange (no repository was fully downloaded)
  • Indicated that UNC2452 searched for secrets and keys stored inside the code
  • Declared that Microsoft policies prohibit storing secrets and keys inside source code; confirmed that attacker did not find any secrets or keys in the code

Feb 23, 2021 23, 24

  • Indicated that it had notified 60 customers that were compromised by the SolarWinds hack (the US Government number for organizations compromised was ~100)
  • Named the Russian Foreign Intelligence Service as the only suspect for the role of UNC2452
  • Reiterated that at least a 1000 skilled engineers were involved in the SolarWinds hack (working for UNC2452)

Feb 25, 2021 25

  • Announced open-sourcing of CodeQL - a previously inhouse tool to analyze code and detect similarities in syntax and semantics across code bases
  • Indicated that it had used CodeQL to hunt for potential implants similar to SUNBURST (and related malware) in Microsoft’s code

Mar 4, 2021 26

  • Described newly detected GoldMax malware used by UNC2452 (FireEye appears to call this malware SUNSHUTTLE)
  • Announced and described two additional pieces of malware - Sibot and GoldFinder - related to GoldMax
  • Indicated that all three malware pieces were used after the initial compromise of an organization via SUNBURST

References

  1. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ 

  2. https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/ 

  3. https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/ 

  4. https://techcommunity.microsoft.com/t5/iot-security/latest-threat-intelligence-15-december-2020-fireeye-and/m-p/1999394 

  5. https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095 

  6. https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/ 

  7. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754 

  8. https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ 

  9. https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/ 

  10. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 

  11. https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/ 

  12. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718 

  13. https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/ 

  14. https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/ 

  15. https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ 

  16. https://www.microsoft.com/security/blog/2021/01/19/using-zero-trust-principles-to-protect-against-sophisticated-attacks-like-solorigate/ 

  17. https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ 

  18. https://www.zdnet.com/article/microsoft-this-is-how-the-sneaky-solarwinds-hackers-hid-their-onward-attacks-for-so-long/ 

  19. https://www.cbsnews.com/news/solarwinds-hack-russia-cyberattack-60-minutes-2021-02-14/ 

  20. https://www.theregister.com/2021/02/15/solarwinds_microsoft_fireeye_analysis/ 

  21. https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/ 

  22. https://www.bleepingcomputer.com/news/microsoft/microsoft-solarwinds-hackers-downloaded-some-azure-exchange-source-code/ 

  23. https://www.cnbc.com/2021/02/23/microsoft-exec-brad-smith-praises-fireeye-in-solarwinds-hack-testimony.html 

  24. https://www.youtube.com/watch?v=IPozXgMqMag 

  25. https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/ 

  26. https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/