Microsoft Releases New Info on SolarWinds Attack Chain

Microsoft Releases New Info on SolarWinds Attack Chain
Threat actors went to elaborate lengths to maintain operational security around second-stage payload activation, company says.

More than one month after the SolarWinds breach that impacted numerous organizations was first uncovered, new details of the sophisticated operation are continue to trickle out.


The latest information comes from Microsoft, which this week released details of its analysis of the tactics used by the threat actors to activate a second-stage payload for downloading the Cobalt Strike attack kit on infected systems.


According to Microsoft, that particular aspect of the attack chain has been unclear up until now and is significant because it reveals the extent to which the attackers went to ensure operational security.


"One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader," Microsoft said in a blog attributed to members of the company's various security and threat intelligence teams. "Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection."


Solorigate is Microsoft's name for SUNBURST, a poisoned Dynamic Link Library (DLL) that was distributed to thousands of organizations as part of legitimate updates of SolarWinds' Orion network management software between March and June last year. About 18,000 government entities, security firms, and large corporations — including Microsoft itself — unwittingly downloaded the weaponized SolarWinds updates on their networks.


Subsequent investigations by numerous cybersecurity firms and others showed the threat actors were actually interested in only a small subset of the organizations that had unintentionally downloaded the Solorigate/SUNBURST backdoor.


In those instances, the backdoor communicated with a remote comm ..