Microsoft details "incredible effort" to hide by SolarWinds hackers

The hackers behind the high-profile SolarWinds attacks went to extraordinary lengths to avoid detection, research by Microsoft security analysts shows.

Based on their Sunburst - or as Microsoft calls it, Solorigate - backdoor staying dormant for at at least two weeks, the attackers painstakingly selected targets and built unique Cobalt Strike network penetration tools for each victim system for a month or so, Microsoft researchers said.

During that time, the hackers also established their command and control infrastructure, with domain generation algorithms creating random names.

Through adding malicious code to an update for the SolarWinds Orion network monitoring tool, the hackers were able to compromise Microsoft, security vendor FireEye and the United States Treasury and other government departments.

With targets profiled and selected, the Solorigate backdoor activated on their machines and created two files.

One was a per-machine compiled dynamic link library (DLL) dropped into a legitimate looking sub directory in the Windows directory, to load Cobalt Strike.

The second file was a Visual Basic script that is executed in a multi-stage process to activate the Cobalt Strike implant, and then remove values inserted into the Windows Registry configuration database, to further avoid detection.

Microsoft's researchers said the attackers behind Solorigate are skilful and methodical operators who followed operations security best practices to minimise traces, stay under the radar and avoid detection.

They ensured that the malware was as varied as possible for every compromised host to methodically avoid having shared indicators that could alert to active threats.

Several other evasion techniques were used by the attackers, such as turning off event logging and adding firewall rules before running noisy network enumeration activities.

The systems were restored to their original states after the hackers had finished their actiivities, Microsoft said.

Any tools and binary files were carefully camouflaged and blended into target systems by being renamed and placed in folders that mimicked existing system storage objects.

"Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims," Microsoft said.

The methodologies and strategies used by the attackers will be shared by Microsoft and incorporated into the MITRE ATT&CK globally accessible knowledge base.