What we know (and don’t know) so far about the ‘Supernova’ SolarWinds attack
It’s mostly been overshadowed by the massive and brazen supply chain breach of the SolarWinds Orion software-build process, but the lesser-known Supernova cyberattack also remains a bit of a mystery. Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds’ Orion network management software, so far have been scarce.
Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed “Spiral.”
Supernova first came to light during FireEye’s investigation into the Orion software-update attack (aka Sunburst, Solorigate) back in December, and at first it was mistakenly believed to be part of the supply chain attack campaign. Microsoft soon thereafter revealed that Supernova indeed was not part of the supply chain attack.
It’s likely coincidental that two separate nation-states were targeting the same software, albeit in very different ways, experts say. “I think it’s a coincidence” that both the Chinese and Russian advanced persistent threats (APTs) both targeted SolarWinds software in their attacks, notes Mike McLellan, director of intelligence at Secureworks. And the high-profile discovery of the attack from Russia may have “burned” China’s parallel operation for now, too, he says.
That could explain the dearth of additional activity reported by researchers on Supernova: The attackers may have halted the Orion attack and sought other ways to quietly target and spy on their victims.
It’s not unusual for multiple nation-state attacker groups to target the same victim organization, nor even to reside concurrently and unbeknownst to one another while conducting their intelligence-gathering operations. But Supernova and the Orion supply chain attack demonstrate how nation-states also can have similar ideas yet different methods regarding how they target and ultimately burrow into the networks of their victims.
Supernova homed in on SolarWinds’ Orion by exploiting a flaw in the software running on a victim’s server; Sunburst did so by inserting malicious code into builds for versions of the Orion network management platform. The digitally signed builds then were automatically sent to some 18,000 federal agencies and businesses last year via a routine software update process, but the attackers ultimately targeted far fewer victims than those who received the malicious software update, with fewer than 10 federal agencies affected as well as some 40 of Microsoft’s own customers. US intelligence agencies have attributed that attack to a Russian nation-state group, and many details of the attack remain unknown.
Supernova took a more traditional, yet stealthy, approach to leveraging Orion’s lucrative mapping and tracking features of a victim’s network. “Supernova was looking for SolarWinds on the [victim’s] network and compromising them from there,” explains Secureworks’ McLellan.
“The Russian activity comes from the SolarWinds network,” he says of the supply chain attack using Sunburst. “That’s the key difference.”
To read the complete article, visit Dark Reading.