The use of infrastructure based in the US by the attackers in the first stage of the SolarWinds supply chain compromise is one factor which has inhibited the investigation into the incident, as this meant it was effectively blocked from being pursued by the NSA, the security firm RiskIQ says.
In a blog post, the company’s Team Atlas said the other factor that could have blocked the progress of the investigation beyond the second, more targeted stage was the attackers’ skill in not leaving a trail of patterns that were normally identified and tracked by threat hunters.
On 16 April, the US Government alleged that the Russian security agency known as the Foreign Intelligence Service was responsible for the attack.
To date, no cyber security company, including FireEye, the firm that first made the SolarWinds compromise public, has attributed the attack to any country.
RiskIQ claimed while the espionage campaign itself was progressing, “public-facing research into the campaign is not”.
“That’s in part because piecing together what happened so far is exceptionally challenging,” the company’s researchers wrote. “The threat actor, identified by the US government as APT29, but tracked in the private industry as UNC2452, took great pains to avoid creating the type of patterns that make tracing them easy.
“For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them.”
A large part of the RiskIQ post covered material that has already been ventilated, with companies like FireEye, Microsoft and Volexity issuing briefs since the initial exposure by FireEye.
The post said a review of all the previously published indicators of compromise had led to its researchers noticing that a majority of SSL certificates used were issued by Sectigo (formerly Comodo CA).
“Additionally, they were all of a particular class called ‘PositiveSSL’ which costs about US$11 (A$14.3) a year per domain,” the post said. “The issue date of the certificates otherwise known as ‘Not Before’ in x509 terminology was often more than a week prior to when the certificate itself was deployed in the wild. Or in several cases more than 40 days later.”
However, a search for all the certificates issued by Sectigo brought up 334,053 results and this was too many to be useful.
The RiskIQ team then looked at finding patterns from HTTP banner responses using previously identified domains and IP addresses, as Volexity had done.
Collating this data, RiskIQ said it had managed to find a number of additional domains that could be connected to the attacks.
GRAND OPENING OF THE ITWIRE SHOP
The much awaited iTWire Shop is now open to our readers.
Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.
PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.
Products available for any country.
We hope you enjoy and find value in the much anticipated iTWire Shop.
INTRODUCING ITWIRE TV
iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.
We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.
In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.
We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.
See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.