FireEye outlines techniques used by SolarWinds hackers

Photo (c) Westend61 - Getty Images

The firm has also released a tool to help companies see if SolarWinds hackers breached their networks

On Tuesday, cybersecurity firm FireEye released a 35-page report outlining the techniques used by the hackers who carried out the SolarWinds attack. 

In December, researchers discovered that cyber criminals hacked IT software provider SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

FireEye and Microsoft confirmed that a malicious and unauthorized party infiltrated the SolarWinds network and sowed malware known as Sunburst into updates for the Orion app. That malware was used to collect information on breached companies. 

Around 18,000 SolarWinds customers unwittingly installed the malware-containing version of the Orion app; some selected targets were victims of a second strain of malware known as Teardrop.  

FireEye has now detailed the techniques deployed by the hackers and released a free tool on GitHub to help companies see whether their networks were affected by the attack.  

Four main techniques

The firm said the hackers moved “laterally” to the Microsoft 365 cloud using a combination of four key compromise techniques: 

  • Stealing the Active Directory Federation Services. Hackers were able to authenticate into a federated resource provider, such as Microsoft 365, by stealing the ADFS and using it to forge tokens for arbitrary users. 

  • Modifying or adding trusted domains in Azure AD. Attackers were able to forge tokens for arbitrary users by adding a new federated Identity Provider (IdP) that the attacker controls. 

  • Compromising the credentials of on-premises user accounts. Accounts that were synchronized to Microsoft 365 had high privileged directory roles, such as Global Administrator or Application Administrator.

  • Hijacking an existing Microsoft 365 application. By adding a new credential to the application, hackers could use the legitimate permissions assigned to the application -- such as the ability to read email, send email as an arbitrary user, access user calendars, and more -- while bypassing multi-factor authentication. 

"While UNC2452 has demonstrated a level of sophistication and evasiveness, the observed techniques are both detectable and defensible," FireEye said. 

The firm said its report is meant to help companies “remediate the observed techniques,” as well as “empower organizations to detect and harden against similar tactics.”  

Take an Identity Theft Quiz. Get matched with an Authorized Partner.