SolarWinds cyberattack still unresolved, says NTT

SolarWinds cyberattack still unresolved, says NTT

12 February 2021 | Natalie Bannerman

Cover

NTT has published its February edition of its Monthly Threat Report.

In the eight-page report the company wrote about the continued fallout from the 2020 SolarWinds cyberattacks.

In February 2020, networking and application software company, SolarWinds, suffered a cyberattack that uploaded malware into updates of its Orion platform. The malware, called Sunburst, was then distributed to more than 17,000 of SolarWinds’ customers in the government and private sectors. The malware remained undetected in SolarWinds system, even up until the point that it was removed from SolarWinds’ system in June 2020.

At the time, it was thought that few of the 17,000 customers were affected, but the latest findings from cyber analysts continue to find more details to the contrary.

According to the report, details show that “a nation-state Advanced Persistent Threat (APT) was most likely responsible for the trojanized attack”. Specifically, “UNC2452, also known as Dark Halo, APT29, also known as Cozy Bear, and Russian threat actor Turla have been named as likely sources of the SolarWinds attack”.

Both Cozy Bead and Turla seemingly have Russian ties with the former being linked to SVR, the Russian foreign intelligence service and the latter being associated with FSBm, the Russian intelligence Service. This is “based on suspected Russian hacking tools as well as Tactics, Techniques and Procedures (TTPs), analysts identified similarities between Turla’s attack methods and that of the SolarWinds attack, including the types of malware used”.

Though similarities have been made between the backdoors used in this attack and between the groups who created them, the report stated “definitive attribution has not yet been made” and “The Russian government denies any involvement in the SolarWinds trojanised supply-chain attack”.

 Concluding that “analysts must remain vigilant in their research, identify and verify, or disprove connections between Sunburst, Kazuar and the Turla Group as more attack details are ascertained”.