Security News > 2021 > March > SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group.
The findings were also corroborated by cybersecurity firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a.NET web shell implemented by modifying an "App web logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.
According to Secureworks Counter Threat Unit researchers - who discovered the malware in November 2020 while responding to a hack in one of its customers' networks - "The immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network."
"CTU researchers were initially unable to attribute the August activity to any known threat groups," the researchers said.
More solid evidence arrived in the form of an IP address that geolocated to China, which the researchers said came from a host that was used by the attackers to run Secureworks's endpoint detection and response software for reasons best known to the threat actor, suggesting the software may have been stolen from the compromised customer.
"The threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure," the researchers detailed.
News URL
Related news
- Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries (source)
- US says Chinese hackers breached multiple telecom providers (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Sophos reveals 5-year battle with Chinese hackers attacking network devices (source)
- Sophos Versus the Chinese Hackers (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Chinese hackers target Linux with new WolfsBane malware (source)