UNC2452

UNC2452 is a suspected Russian state-sponsored APT group behind the 2020 SolarWinds software supply chain attack.

The group compromised a build system and signing infrastructure of a network monitoring and management software by SolarWinds named Orion and deliver a trojanized update to over 18,000 customers. The victims included around 80% of the Fortune 500, giant corporations like Microsoft, Cisco, Intel, Nvidia, Belkin, FireEye, Deloitte—as well as numerous US government departments and agencies and other organizations in North America, Europe, Asia, and the Middle East.[1] The group also compromised at least one think tank by late 2019.[2]

Artifacts from the investigation confirmed that the source code of the Orion update was directly modified to include the SUNBURST backdoor, which was digitally signed and delivered through the company’s legitimate software release system.

The SUNBURST backdoor was injected to the update by another tool SUNSPOT that replaced one of the source code files in runtime of the build process with another version containing the backdoor.

The Initial Access was not reported and could be a result of a public-facing FTP server and leaked credentials. Other reports refer to the exploitation of the CI/CD tool TeamCity by JetBrains, used for by developers all over the world.

The group also managed to access other victims through vendor access and other means and compromised a certificate by Mimecast to intercept traffic and access sensitive information.

Associated Group Descriptions

Name Description
Solorigate

[3]

StellarParticle

[4]

Dark Halo

[2]

Techniques Used

Domain ID Name Use
Enterprise VT0011 .001 Account Manipulation: Additional Cloud Credentials

UNC2452 added credentials to OAuth Applications and Service Principals.[5]

Enterprise VT0021 Credentials from Password Stores

UNC2452 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[6]

Enterprise VT0007 .003 Develop Capabilities: Malware

UNC2452 developed SUNSPOT, SUNBURST, Teardrop, and Raindrop; SUNSPOT was tailored to inject SUNBURST into a the source code of SolarWind's Orion software update and was digitally signed by SolarWinds.

Enterprise VT0003 Exploit Public-Facing Application

UNC2452 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[2]

Enterprise VT0015 Masquerading

UNC2452 set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure.[7]

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificate by replacing one of the source code files of the Orion software during build runtime. SUNBURST replaced a legitimate file by another tool existed on the build system SUNSPOT.

Enterprise VT0004 .002 Supply Chain Compromise: Compromise Software Supply Chain

UNC2452 gained initial network access via a trojanized update of SolarWinds Orion software.[7]

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[8]

Enterprise VT0005 Valid Accounts

UNC2452 used different compromised machine identities and credentials for remote access and lateral movement.[7]

References

Attachments

ID
VG0004
Associated Groups
Solorigate
StellarParticle
Dark Halo
Version
1.0

Created: 17 February 2021

Last Modified: 16 March 2021