UNC2452
UNC2452 is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.[1] Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.[1] The group also compromised at least one think tank by late 2019.[2]
Associated Group Descriptions
Name | Description |
---|---|
Solorigate | |
StellarParticle | |
Dark Halo |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | Account Discovery |
UNC2452 obtained a list of users and their roles from an Exchange server using |
|
Enterprise | T1098 | .002 | Account Manipulation: Exchange Email Delegate Permissions |
UNC2452 added their own devices as allowed IDs for active sync using |
.001 | Account Manipulation: Additional Cloud Credentials |
UNC2452 added credentials to OAuth Applications and Service Principals.[5] |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.[2][6] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
UNC2452 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.[2][3] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
UNC2452 used |
||
Enterprise | T1555 | Credentials from Password Stores |
UNC2452 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[6] |
|
Enterprise | T1005 | Data from Local System | ||
Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
UNC2452 staged data and files in password-protected archives on a victim's OWA server.[2] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
UNC2452 developed Sunspot, Sunburst, Teardrop, and Raindrop; Sunspot and Sunburst were tailored to be incorporated into SolarWind's Orion software library.[1][4][6] |
Enterprise | T1484 | .002 | Domain Policy Modification: Domain Trust Modification |
UNC2452 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[8] |
Enterprise | T1482 | Domain Trust Discovery |
UNC2452 used the |
|
Enterprise | T1568 | Dynamic Resolution |
UNC2452 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[2] |
|
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
UNC2452 collected emails from specific individuals, such as executives and IT staff, using |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | |
Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
UNC2452 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.[2] |
Enterprise | T1190 | Exploit Public-Facing Application |
UNC2452 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[2] |
|
Enterprise | T1083 | File and Directory Discovery |
UNC2452 obtained information about the configured Exchange virtual directory using |
|
Enterprise | T1606 | .001 | Forge Web Credentials: Web Cookies |
UNC2452 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.[2] |
.002 | Forge Web Credentials: SAML Tokens |
UNC2452 created tokens using compromised SAML signing certificates.[5] |
||
Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
UNC2452 used |
.002 | Impair Defenses: Disable Windows Event Logging |
UNC2452 used |
||
.001 | Impair Defenses: Disable or Modify Tools |
UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products.[6] |
||
Enterprise | T1070 | Indicator Removal on Host |
UNC2452 removed evidence of email export requests using |
|
.004 | File Deletion |
UNC2452 routinely removed their tools, including custom backdoors, once remote access was achieved.[1] |
||
.006 | Timestomp |
UNC2452 modified timestamps of backdoors to match legitimate Windows files.[6] |
||
Enterprise | T1105 | Ingress Tool Transfer |
UNC2452 downloaded additional tools, such as Teardrop malware and Cobalt Strike, to the compromised host following initial compromise.[1] |
|
Enterprise | T1036 | Masquerading |
UNC2452 set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure.[1] |
|
.004 | Masquerade Task or Service |
UNC2452 named tasks |
||
.005 | Match Legitimate Name or Location |
UNC2452 renamed a version of AdFind to |
||
Enterprise | T1027 | Obfuscated Files or Information | ||
Enterprise | T1003 | .006 | OS Credential Dumping: DCSync |
UNC2452 leveraged privileged accounts to replicate directory service data with domain controllers.[8][6] |
Enterprise | T1069 | Permission Groups Discovery |
UNC2452 used the |
|
Enterprise | T1057 | Process Discovery |
UNC2452 used multiple command-line utilities to enumerate running processes.[2][6] |
|
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
UNC2452 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.[7] |
Enterprise | T1021 | .006 | Remote Services: Windows Remote Management |
UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts.[7] |
Enterprise | T1018 | Remote System Discovery | ||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
UNC2452 used |
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 | |
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.[6] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
UNC2452 was able to get Sunburst signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[1] |
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
UNC2452 gained initial network access via a trojanized update of SolarWinds Orion software.[1] |
Enterprise | T1082 | System Information Discovery |
UNC2452 used |
|
Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[8] |
Enterprise | T1550 | Use Alternate Authentication Material |
UNC2452 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling UNC2452 to access enterprise cloud applications and services.[8] |
|
.004 | Web Session Cookie |
UNC2452 used a forged |
||
Enterprise | T1078 | Valid Accounts |
UNC2452 used different compromised credentials for remote access and to move laterally.[1] |
|
Enterprise | T1047 | Windows Management Instrumentation |
UNC2452 used WMI for the remote execution of files for lateral movement.[8][6] |
Software
References
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
- MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.