Researchers have found that the command and control (C2) server infrastructure for the Russia-attributed SolarWinds espionage campaign is substantially larger than first thought after discovering an additional 18 servers used to manage malware implants.
Security vendor RiskIQ used its own telemetry data, and combined it with information already gleaned from other researchers, to surface hitherto unknown patterns that led to the discovery of the C2 servers.
The additional 18 servers it found represent a $56 percent increase of the currently known infrastructure.
RiskIQ expects further analysis will lead to further targets being identified.
The SolarWinds hackers went out of their way to hide patterns that could identify them and correlate their activity with past threats.
This included using unique internet protocol addresses for the C2 infrastruture for each victim, buying domains with registration histories at different times and with varying names at auctions or from resellers, and hosting its servers within America to avoid detection.
However, RiskIQ was able to use known indicators of compromise from other vendors such as Volexity, and add its own telemetry to discern new patterns of threat activity tied to APT29.
Digital transport layer security certificates for the servers were found to mostly have been issued by Sectigo (formerly Comodo) and were of the PositiveSSL subclass, RiskIQ found.
Issue dates for the certificates was often more than a week before the credential was deployed in the wild, or in other cases, more than 40 days later, the security vendor found.
Combined with HTTP banner response patterns and modified Cobalt Strike penetration test tool Beacon servers, RiskIQ identified the additional 18 C2 servers.
Some of the servers appear to have been active, deploying malware, a whole month before SolarWinds said the APT29 compromise of some 18,000 customer systems started.
Russia's foreign intelligence agency the SVR has been blamed by the Biden Administration for the SolarWinds hacks, creating a diplomatic crisis between the two nuclear armed nations.
As a result, the United States Treasury has sanctioned several Russian individuals and entities, including well-known security vendor Positive Technologies, which is said to have facilitated and participated in hacking operations.
SolarWinds spins off MSP business
Separately, SolarWinds announced that the company will spin off its managed service provider business under the name N-able.
N-able will create a new website, update its products, resources and partner programs.
Updated, 24/4: An earlier version of this story incorrectly stated that SolarWinds would rebrand to N-able; it has since been clarified that the new name relates only to the MSP portion of its business.