The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign “skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection.”
But new research published today shows that the threat actor carefully planned each stage of the operation to “avoid creating the type of patterns that make tracking them simple,” thus deliberately making forensic analysis difficult.
By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jump in the attacker’s known command-and-control footprint.
The “hidden patterns” were uncovered through an analysis of the SSL certificates used by the group.
The development comes a week after the U.S. intelligence…