Anticipating What Is Next for Solarigate, Based on BlackEnergy, NotPetya, and other Campaigns
As of today, Solarigate has been couched a Russian espionage campaign leveraging supply chain. Its timeframe is described in terms of months. Affecting up to 18,0000 victims, amazingly one of which is a cyber security vendor that happened to discover it.(0.0055555555556% chance?). Immediately the industry has jumped whole hog into IOC hunting, and some are even claiming some form of awkward 'victory' in having disrupted the campaign. I will offer the following Occam's razor based observations in order for us to step back and realize, that this campaign is more likely to be years in the making, and will extend for many more; that at a minimum it is equally likely to be a destructive / disruptive based campaign, and that we are at the red dawn of a new threat landscape that needs to be understood at both national and technical levels it currently is not.
While SandWorm has not been attributed to Solarigate, the group (and what we can extract from its past campaigns) serves as a template to simply draw out something about past Russian disruptive/destructive campaigns. Sure, parts of the GRU have been described as having worked closely with APT 29, with whom Solarigate has been attributed. But that's not the point...instead, we can learn what we need to by understanding how SandWorm generally carry out such a campaign, and drawing similarities to both the overall strategy of Solarigate actors as well as the potential implications for impact.
In short-form, here is what we should learn from both the #SandWorm (Russian GRU Unit 74455 team (aka, #Telebots #VoodooBear, #IronViking), as well as specifically relates to their overall strategy to destroy or disrupt.
1) The majority of their activities are aimed at disruption / destruction to begin with (e.g. YES, capable actors from Russia have indeed focused on such)
-2007-2016 BlackEnergy (crimeware turned into destructive government tool), "KillDisk," and "Industroyer"destructive campaigns
-2014 Targeting of SCADA-centric victims -2016 Ukraine targeting Ukraine power grid and MOF and STS
-2017 French disruption of Macron's "La Republique En Marche!"political party
-2017 Ukraine (and collaterally, global impact) destructive / wiper NotPetya Worm -2018 Korea disruption of the PyeongChang Organizing Committee for the 2018 Olympics
-2018 International and government organizations investigating the murder of a former GRU officer and his daughter in the UK
-2016-2018 LoJax UEFI implant active for years, and remains so even months after discovery -2018-2019 disruptive campaign against Georgian media and website defacements
2) Software and firmware supply chain (or use of existing vendor-specific software capabilities and tooling/infrastructure) is a primary strategy, whether for low-level persistence or for disruption:
-2018 LoJax leveraging LoJack software to target UEFI firmware with an implant
-2016-2017 Both NotPetya and Win32/Filecoder.AESNI.C via Ukrainian accounting software called M.E.Doc.
-2007-BlackEnergy campaigns effectively leveraging criminal malware supply chain for destructive campaigns by co-opting its components into a nation-state use tool used to target US energy and infrastructure, as well as Ukrainian ICS Networks. Note: BlackEnergy malware shares roots with Trickbot malware, in the form of the Dyre banking trojan.
3) Espionage-looking activity always precedes a disruptive or destructive campaign
An adversary first needs to conduct recon and determine targeting, business operations, operating procedures, critical assets, architecture and more if an adversary has a disruptive objective. An initial wide-swath campaign via supply chain makes sense here. However, a true targeted espionage campaign usually narrows all components of the campaign to the bare minimum needed to achieve persistence. If long term espionage is the goal, then why risk a massive supply chain strategy? Why risk targeting a savvy cyber vendor like FireEye? What form of 'espionage' truly has as its target base, "all of earth"? None. But being able to target critical infrastructure, government organizations and defense all at once in order to coordinate a disruptive campaign...now that makes sense. And indeed, look what ME Doc was dropping prior to the NotPetya worm and payload. Look at how BlackEnergy campaigns leveraged that criminal / banking trojan as a recon and cred grabbing tool prior to dropping other payloads that targeted ICS equipment. Look how Lazarus uses TrickBot (another criminal banking trojan, originally) prior to deploying Ryuk. Look how APT 28 used several tools, which use a kernel driver signed with a valid code-signing certificate to access the UEFI / BIOS settings, collecting and saving low-level system settings. It's only after collecting that data that they can then create an image of the system firmware, and then add LoJax to the image, and overwrites the SPI flash memory. This is eerily similar to the recent TrickBoot discovery, which foreshadows the world's largest independent global crime and intelligence organization, Overdose, being able to target, and later implant or brick devices at the UEFI firmware level. The same group has worked with nation states and other Russian actors in the past.
Put simply, the first stage of any impactful attack looks and feels like espionage, but that is just because info-gathering is needed prior to an effective disruptive/destructive attack. While the media portrays this new threat as 'sophisticated' and 'advanced', it's important to remember that many of the tricks a sophisticated actor might use have been pioneered in the criminal malware world. Even TrickBot has mirrored (named their C2 similar to) a victim's domain/organization in order to throw off network detection and forensics. Sound familiar? Indeed, an important tactic used in the SunBurst campaign. Sure, there might not be a MITRE ATT&CK ID for that tactic, but it's been done before, and by TrickBot operators, not spies in Moscow... or have those two things effectively converged at this point?
4) Attribution matters, but not as much as the "possibility of tactics and objectives" does overall, let alone how to mitigate risk.
While this blog mentions groups like SandWorm, APT 28, Overdose, Lazarus and the like, it is not a blog hoping to link or attribute actors to the SolariGate campaign. If anything, the take-away may be the inverse of such: When reacting to a campaign like this, to assume either it's endgame motive OR the actors behind it, is to waste precious cycles, or worse, to improperly scope the real world risk implications. When WannaCry first hit, it was named after the unsophisticated, poorly coded, and often-corrupted wannacry payload, assumed to be the work of a profit-motivated actor. As someone that worked in the capacity of an Incident Response consulting director during that event, what struck me more than anything, was that double pulsar was everywhere...offering read/write/execute on any host it was running on. Effectively, the motive at that point of the kill chain could have been anything, or even 'all the things'. During the fog of war of that incident, and NotPetya afterwards, one thing rang true: attribution didn't help the incident response warriors on the ground. Instead it was letting what was likely and possible, dictate what it meant to get ahead of the attacker and minimize impact. Instead it was prioritizing what assets, network segments, supply chain connections, device vendor SLA's, and safety impacts needed to take priority, given the level of access and power the adversary wielded.
Similarly, (and by now others are cautioning the same), when SunBurst was first discovered, the media immediately a) attributed it to APT 29 and b) attributed the motive to one of espionage. Yet stepping back and looking at the chain of events, and the TTP's involved, it didn't look much like espionage. It looks like a widespread disruption or destruction campaign that was effective in mass targeting and in gaining credentialed access allowing for maximum canvassing of the environment. That sounds a lot like what TrickBot actors do prior to an industry-targeted Ryuk or Conti campaign, doesn't it? But attributing this campaign to either APT29 or Overdose or China (?) really doesn't move the needle in understanding the actual risk impact scenario, and risk mitigation steps that impacted organizations should be taking right now. Hint: It has much less to do with what version of SolarWinds you are running and shutting that down, than it has to do with understanding what an attacker beginning with that footprint and capabilities can do from there. A kill-chain takes place over a time line. The vector in... you've got bigger problems than what the vector in was, given this campaign has roots going back many months. To the extent an actor has leveraged the SunBurst backdoor, the same actor will have already gained additional persistence, moved laterally, targeted the AD and more. Why do I state this? Because in years of dealing with actors of this scale, I've never seen them not do those things. Because those things are relatively trivial to do once given SunBurst level of access. Because this actor will need those things to fend off team blue and carry out campaign objectives, regardless of what those objectives are. Because to assume otherwise, is to miss the entire point of what has just happened as a result of this supply chain attack.
Simple: 1) To treat SolariGate as a purely espionage campaign targeting only a (relatively) small set of the 18,000 victims, is a poor assumption.
2) There are enough relevant historical references to supply-chain attacks leading to disruptive or destructive campaigns to widen our scope of expected impact
3) A SolarWinds-focused fire drill is not what affected organizations need to be thinking about at this stage of the campaign's discovery and attack time-lines
4) Attribution should not inform mission or organization risk considerations at this stage. Impacted organizations need to prioritize activities relative the scope of potential impact unique to that organization's architecture, critical assets, supply chain, AD structure, IT and OT environment impact scenarios (safety, uptime), etc.
5) At this stage of the campaign, persistence, stealth, and ability to re-enter again if eradication efforts are attempted, are of paramount importance to the attacker. Expect multiple backdoors taking multiple forms. This portion of the kill chain may not be automated. This portion may be unique to your organization and tech stack and architecture and security stack. This part requires your blue team to help inform IR playbook development, and relevant dashboard creation, hunting and segmentation efforts unique to you, the victim. 6) There is much more to this story. There always is. Expect things like multiple actors to be at play. Perhaps a zero-day to be introduced. Other supply chain vectors. Shifting motives during the campaign. Expect there to be a criminal group component, either during, or after, related exil efforts, perhaps tied to sensitive data, or perhaps to re-sale of access, or perhaps to crimewave tools that can be adaptively used by these actors to persist longer: TrickBot/TrickBoot, for example. Expect known TTP's to change, even completely, from what's been observed so far. Expect that ransomware may tail towards the end of this campaign for certain victims. Just like in the early days and weeks of WannaCry, NotPetya, BlackEnergy, and others; expect us all, to have it all wrong.
7) Don't forget the basics: Share, share, share. Move with urgency. Value speed over completeness. Keep teams hydrated. Internal to the victim organizations, over communicate to all stake-holders including partners and supply chain both up and down. Start now to set expectations according to what is possible and most impactful, not according to what media and attribution politics might implicate. Remember, no one knows your environment better than you do, so leverage that fact to ferret, force and contain the adversary. It's the one disadvantage that the attacker of a widespread campaign like this has, and it's why we've only uncovered dozens, not thousands, of 'real' victims so far.
-June 2017: TeleBots Are Back: Supply-Chain Attacks Against Ukraine (ESET)
December 2016: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) (ICS-CERT)
March 2016: Analysis of the Cyber Attack on the Ukrainian Power Grid (SANS)
January 2016: Everything We Know About Ukraine's Power Plant Hack (Wired)
January 2016: The Malware That Led to the Ukrainian Blackout (Motherboard)
January 2016: Updated BlackEnergy Trojan Grows More Powerful (McAfee)
January 2016: BlackEnergy by the SSHBearDoor: Attacks Against Ukrainian News Media and Electric Industry (ESET)
May 2015: BlackEnergy 3 – Exfiltration of Data in ICS Networks (CyberX)
May 2015: Data Theft the Goal of BlackEnergy Attacks on Industrial Control Systems, Researchers Say (DarkReading)
November 2014: An Analysis of BlackEnergy3 Malware Using Carbon Black (Carbon Black)
October 2014: Suspected Russian “Sandworm” Cyber Spies Targeted NATO, Ukraine (ArsTechnica)
October 2014: Sandworm to Blacken: The SCADA Connection (TrendMicro)
September 2014: Blackenergy & Quedagh: The Convergence of Crimeware and APT Attacks (F-Secure)
September 2014: Back in BlackEnergy *: 2014 Targeted Attacks in Ukraine and Poland (ESET)
March 2010: New BlackEnergy Trojan Targeting Russian, Ukrainian Banks (DarkReading)
March 2010: BlackEnergy Version 2 Threat Analysis (Dell SecureWorks)