Whether acting as a consumer or as an organization, we have been trained to keep any software up to date if we want to take advantage of improved functionality and remove glitches. While we diligently download updates, it rarely crosses anyone’s mind that a hacker could try to infiltrate our environment through the update. In the spring of 2020, as 18,000 SolarWinds customers took action following an on-screen prompt to update their software, they did not suspect they would be the next victims of a major cyber attack.LEARN MORE >
Following the global news release of the breach, governmental and private organizations scrambled to disable SolarWinds software and assess the damage in what was purported to have been the biggest cyber incident in years. The incident represented a wakeup call for many defenders, illustrating the stealth and operational sophistication this adversary demonstrated.
Discovery and Identification
The threat actor was initially identified by a rogue multi-force and observers (MFO) attempt that caught the eye of a Mandiant responder who subsequently escalated the event. An internal investigation ensued, but most artifacts led to dead ends until the investigation finally connected to the supply chain incident and Sunburst malware. At that moment, Mandiant generated the temporary uncategorized threat actor name UNC2452.
As further information became available, several actor characteristics surfaced and were attributed to UNC2452, including:
The methods this actor used are disconcerting, because they operate in a way we have not previously observed. Stealthy, disciplined and adaptable to different environments, they learned how to become invisible from threat intelligence blogs (counter intelligence) and applied multiple means of persistence through malware and classical access. Once inside the victim’s environment, any on-disk activity was minimized to remove forensic artifacts and host names were chosen to match those of the victim to avoid detection.
The attacks themselves were very sophisticated, highlighting their adaptability as an adversary. The initial stages of the attack were broad, installing a trojan on 18,000 SolarWinds Orion customer environments. They then identified and selected approximately 50 high value targets, such as governments, NGOs and technology firms. The attackers used technology organizations for their infrastructure, enabling them to expand their operations further, using spear phishing and password spray to gain access, patiently testing their attacks and then waiting two weeks before acting fast.
Our investigations found that no standard playbook was adopted and the attack progression did not show any linear signs; the actor was adept at manipulating multiple systems and persistent using many sophisticated tactics, techniques and procedures.
The Importance of Threat Intelligence
While the actor was stealthy, we discovered the attack because of our extensive breach intelligence data that has been accumulating for over a decade. It holds specific details on every actor, keeping track of their activities. Whenever an incident occurred, our experts were able to connect the dots between a simple security event and known activity to surface the adversary and their attack plan.
Mandiant has made all UNC2452 actor activities and insights available to every Mandiant Advantage Threat Intelligence subscriber, irrespective of whether they have a free or paid subscription. As new evidence comes to light, we will continue to update our software so that organizations can arm themselves with the detail they need to identify, protect and respond to UNC2452 and other adversaries.
To access the latest UNC2452 details, register for free access to Mandiant Advantage.LEARN MORE >