RiskIQ’s Atlas Threat Intelligence Analysis Team Illuminates New Patterns and 56% More Threat Infrastructure Used in the SolarWinds Cyber Espionage Campaign

RiskIQ’s Atlas Threat Intelligence Analysis Team Illuminates New Patterns and 56% More Threat Infrastructure Used in the SolarWinds Cyber Espionage Campaign

News Highlights

SAN FRANCISCO, April 22, 2021 (News) — RiskIQ, a leader in Internet Security Intelligence, announced that RiskIQ’s Team Atlas, its threat intelligence analysis team, leveraged the company’s unique network telemetry to reveal new infrastructure and tactics used in the SolarWinds cyber espionage campaign.

By combining the company’s Internet Intelligence Graph with patterns derived from previously reported indicators of compromise, RiskIQ’s Team Atlas surfaced 56% more attacker-owned network infrastructure, including more than a dozen newly identified command-and-control servers. The findings will likely help identify new victims of the campaign, attributed last week by the United States intelligence community to the Russian intelligence Service (SVR).

The findings came to light when RiskIQ’s Team Atlas researchers noted distinct patterns in the HTTP banner responses from domains and IP addresses associated with the incident. The team then correlated domains and IPs returning specific banner response patterns with specific SSL certificates, periods of activity, and hosting locations across the campaign’s second, more targeted stage to reveal additional attacker-owned servers.

With this information, RiskIQ shed more light on the tactics, techniques, and procedures (TTPs) used by the threat actor in this campaign, including clever evasion of American authorities and a meticulous avoidance of patterns to keep researchers off their trail. Although the U.S. government attributed the campaign to APT29, the private industry refers to the threat actor responsible under disparate names, including UNC2452, StellarParticle, Nobelium, and Dark Halo, because the TTPs did not match those of previous APT29 operations.

“Researchers or products attuned to detecting known APT29 activity would fail to recognize the campaign as it was happening,” said RiskIQ Director of Threat Intelligence and of RiskIQ’s Team Atlas, Kevin Livelli. “They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign.”

Examples of pattern avoidance by APT29 included in the RiskIQ report include:

  • Purchasing domains via 3rd party resellers and at domain auctions, thereby obscuring ownership information and repurchasing expired domains at different time intervals over multiple years.
  • Hosting the first-stage infrastructure entirely in the U.S., hosting second-stage infrastructure primarily within the U.S., and hosting third-stage infrastructure mainly outside the U.S.
  • Designing the malware used in each stage to appear dramatically different. Third-stage malware was designed to look completely different from the second-stage malware, which, in turn, looked nothing like the first-stage malware.
  • Engineering the first-stage implant to beacon to its command-and-control servers with random jitter after two weeks to outlive the typical lifespan of event logging on most host-based EDR products.

“Identifying a threat actor’s attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns,” Livelli said. “However, our analysis shows the group took extensive measures to throw researchers off their trail.

The APT29 infrastructure uncovered by RiskIQ resulted in a more complete and context-rich view of the previously identified command-and-control infrastructure. Visit the company’s Threat Intelligence Portal for the comprehensive analysis and list of IOCs uncovered in the investigation.

About RiskIQ’s Team Atlas

RiskIQ’s Team Atlas is an elite group of threat hunters who leverage RiskIQ’s unique tech stack and global collection network to illuminate the full extent of attacker infrastructures across the Internet, helping cyber defenders identify and better understand current and past breaches. Recently, RiskIQ’s Team Atlas built on publications on Solarwinds, Fin7, APT33, and Cobalt Strike to substantially improve visibility into these threat actor infrastructures. RiskIQ’s Team Atlas will continue to publish high-fidelity network indicators and analyze the broader implications of threat actor campaigns, their business context, and their geopolitical underpinnings to deliver meaningful tactical and strategic intelligence for practitioners and executives.

About RiskIQ

RiskIQ is a leader in digital attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75% of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by security teams, CISO’s, and more than 100,000 security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect the business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, NationalGrid Partners, and MassMutual Ventures.Try RiskIQ Community Edition for free by visiting https://www.riskiq.com/community/. To learn more about RiskIQ, visit www.riskiq.com.

© 2021 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.

  • Check the latest Tech news updates and information updates.
  • Please share this news RiskIQ’s Atlas Threat Intelligence Analysis Team Illuminates New Patterns and 56% More Threat Infrastructure Used in the SolarWinds Cyber Espionage Campaign with your friends and family to support us your one share helps us a lot.
Disclaimer: If you need to edit or update this news from compsmag then kindly contact us Learn more

For Latest News Follow us on Google News


Latest Headlines
  • Show all
  • Trending News
  • Popular By week
State launches incentive program to create more beds for patients with mental health

State launches incentive program to create more beds for patients with mental health

Twenty beds could open up at the state hospital by moving geriatric patients into nursing homes that would be paid $45,000 per bed and a daily rate more than ...
Golden Leaf Announces First Quarter 2021 Financial Results Release Date and Provides Corporate Update

Golden Leaf Announces First Quarter 2021 Financial Results Release Date and Provides Corporate Update

A replay of the audio webcast will be available online on the Company’s website at www.goldenleafholdings.com where it will be archived for one year. A replay ...
Pittsylvania / Danville Health District plans to vaccinate children against COVID-19

Pittsylvania / Danville Health District plans to vaccinate children against COVID-19

Additionally, Spillman said if children get the vaccine, more students can resume in-person learning and participate in sports that are key for youth ...
Frisco offers space to play

Frisco offers space to play

“It’s a great interactive soccer museum that kind of tells the story of soccer in the U.S.,” Dill said. While Frisco has big link to football, Toyota Stadium ...
Here’s a look at the rockin ‘opening film for NEO: the world ends with you

Here’s a look at the rockin ‘opening film for NEO: the world ends with you

What do you think of the NEO’s opening sequence? Will you be picking this one up on release? Leave a comment down below. If you buy the game from the eShop ...
Fire: Ungh’s Quest brings the Stone Age to Nintendo Switch

Fire: Ungh’s Quest brings the Stone Age to Nintendo Switch

Source Game Freaks 365 participates in affiliate programs to help cover hosting costs and other operating expenses. We may receive a small percentage of sales ...
Money for EDD benefits direct deposit option included in Newsom’s proposed budget

Money for EDD benefits direct deposit option included in Newsom’s proposed budget

The actual backlog, which EDD calls claims that are more than 21 days old, is more than 195,00 claims as of right now — up more than 60,000 from last month. It ...
Larkspur Health’s acquisition files will be made public as this year’s SPAC flood exceeds $ 14 billion – Endpoints News

Larkspur Health’s acquisition files will be made public as this year’s SPAC flood exceeds $ 14 billion – Endpoints News

“We have not se­lect­ed any spe­cif­ic busi­ness com­bi­na­tion tar­get and we have not, nor has any­one on our be­half, ini­ti­at­ed any sub­stan­tive ...
Phoenix company launches bracelet to prove you’ve been vaccinated |  Coronavirus in Arizona

Phoenix company launches bracelet to prove you’ve been vaccinated | Coronavirus in Arizona

The organization has set a goal to distribute 10 million bracelets by the end of the year. After you get your vaccine, you can go to CovidVerified.org to ...
Jackson County, Missouri, internal mask lift, closing emergency health order COVID-19

Jackson County, Missouri, internal mask lift, closing emergency health order COVID-19

White said even with the news, Jackson County residents shouldn’t let their guard down against COVID-19. “As I have said from the very beginning of this ...
Show next
Compsmag - Latest News from tech, business and health
Logo