Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced certifications including OSCP and OSWE which are 24 and 48 hour exams respectively, that require hands-on hacking skills to pass.
Chloe works full-time at Wordfence to identify and reverse engineer emerging threats facing WordPress. She works closely with vendors to remediate vulnerabilities they have, develops firewall rules for Wordfence, and publishes her research here, once the affected software has been patched by the vendor.
In the piece below, Chloe describes how threat analysts and the industry think about attribution. She describes the challenges associated with attribution and whether attribution is useful. Chloe also discusses several types of threat actors, and then dives into the SolarWinds hack and assigns probabilities to each kind of threat actor based on what we know about the hack. You can follow Chloe on Twitter @infosecchloe.
The SolarWinds Orion hack is one of the most sophisticated hacks we have seen in a long time, and arguably one of the most significant hacks in years. Of course, one of the biggest questions for security analysts is who is responsible.
The process of identifying the threat actor in a security incident is referred to as attribution, as we are determining what or whom caused an incident to occur. There is often debate in the security world about attribution. Is knowing the threat actor helpful? Or is it a needless distraction when an intense incident response is underway?
In determining attribution, security professionals identify operational risks. Simply put, a threat actor’s motivation is critically important when determining what part of a business is at risk. If an organization doesn’t understand the actors behind an attack, they can risk ineffective or inefficient remediation.
Before we can determine attribution we need to understand what types of threats there are, and what they may be capable of. Once you understand those basics it is easier to understand who may be responsible based upon the facts.
In this article, we hope to identify common threat actor classifications so that your incident response planning is informed, thorough and thoughtful.
Most Common Threat Actor Classifications
Script Kiddies are considered the least skilled among the threat actor groups. Their motivation is primarily egotistical and revolves around bragging rights. This threat actor group is referred to as script kiddies as they often blindly use scripts developed by other security researchers without knowledge of how those scripts actually work. They can also develop their own scripts, however, they will likely be very simple and there may be an apparent lack of sophistication in the scripts they develop.
A common result of an attack you would see from a script kiddie is the defacement of a website, which is altering the physical appearance of a site with a new “face.” Defacement pages typically contain taglines like “Hacked by XXX”, which highlights the fact that the primary motivation is bragging rights.
The key indicator that a threat actor is a script kiddie is that they succeeded in initial intrusion and made a few obvious changes, but there isn’t much evidence that the attack escalated beyond that initial point.
How might this relate to WordPress?
In WordPress, a script kiddie may attempt to hack into sites using pre-created exploits designed to take advantage of known plugin vulnerabilities, or even develop their own scripts since most WordPress vulnerabilities are fairly trivial to exploit. Another attack you may encounter from a script kiddie targeting WordPress installations is a brute force attack due to its simplicity. Once they gain access to your site via a successful brute force attack, they can easily deface the site and move on.
Insider Threats (Malicious or Otherwise)
An insider threat can be the result of malicious intent, or simply come down to human error. Regardless of the cause, an insider threat is a result of someone inside a company, such as an employee, who conducts an attack or triggers a security incident. Insider threats can be sophisticated and can go undetected for an extended period of time if controls like job duty segregation, job rotation, and mandatory vacations are not in place. Insider threats can also be accidental, which is why it is important to have proper security awareness training in place along with security policies that employees must agree to.
A common result of an accidental insider threat may be a DoS attack due to a simple misconfiguration of a piece of software. Another possibility is that access is granted to internal networks due to an employee falling victim to a social engineering attack. The possibilities here are endless.
While an intentional and malicious insider threat could take many forms it would likely result in the exfiltration of sensitive data over a period of time or modification of systems for some personal gain.
The key indicator that a threat actor is an insider is that there is a clear level of knowledge about how any internal systems work, or there is forensic evidence that indicates that the incident occurred via internal access that could only be granted by someone on the inside.
How might this relate to WordPress?
In WordPress, you could face an insider threat with a site’s developer. Perhaps you’ve granted access to your WordPress site to a developer and established a relationship. This developer has been doing work on your site for years, and you just trust that he does what you ask. However, the entire time, they might have been placing spam SEO links on your site during each development project. This would be considered an insider threat that is altering the integrity of your site. It could easily go unnoticed due to the trust between you and the developer, however, it could have a significant impact on your WordPress site over time.
Likewise, a developer might cut corners by installing pirated or “nulled” versions of premium plugins or themes, which typically contain backdoors. If the developer was unaware of the dangers, this would be a case of insider threat via human error.
This is an interesting threat group where their main motivation is to spread awareness about political and social causes. These threat actors are often sophisticated and highly skilled, but that is not a requirement to be considered a hacktivist. There is typically no monetary benefit or personal gain for hacktivists aside from pushing their agenda. You may already be aware of one of the most widely known hacktivist groups, Anonymous.
You will likely see hacktivists taking sites offline with DDoS (Distributed Denial of Service) attacks, defacing sites with political or social messages, and “doxxing” individuals by leaking incriminating or confidential information about them.
The key indicators that a threat actor is a hacktivist is that the results of a security incident appear to push a social or political agenda.
How might this relate to WordPress?
It is not likely that your WordPress site will be taken over by hacktivists, but hacktivists often target organizations that have websites running WordPress. As such, if you run any political sites it is possible that your site could be the target of a hacktivist.
Cybercriminals (Organized Crime)
Cybercriminal threat actors are driven primarily by personal gain which is typically monetary based. They often have a relatively high skill level and try to remain anonymous since what they are doing is highly illegal. They may steal sensitive information in hopes of selling it to the highest bidder on the dark web, sell or rent access to botnets, or steal money directly from the source.
You will likely see this type of threat actor engaging in illegal cyber activity that will provide them with some sort of financial gain. An example of this would be someone exfiltrating passwords from an organization and then later selling the dump of passwords on the dark web.
The key indicator that a threat actor is a cybercriminal is that there appears to be some monetary benefit to the results of the attack.
How might this relate to WordPress?
One of the key motivators behind hacking WordPress would be monetary gain, therefore it’s most likely that a majority of the attacks you see on your WordPress site are from cybercriminals. We often see infections where sites are redirected to pharmaceutical sites or injected with spam SEO which is likely a paid for service.
APTs (Advanced Persistent Threat)
Advanced persistent threats are the most advanced and sophisticated threat actor group there is. They often take their time with attacks hoping to remain undetected, and will take several additional measures to ensure persistence on a compromised resource. More often than not, these threat actors are backed by nation-states which provide aid and support to these groups, helping them to remain stealthy, persistent, and successful in their goals.
Attacks from APTs often result in espionage as their intent is typically to steal confidential data that may help the nation-states they are backed by.
The key indicators that a threat actor is an APT are that the attack appears sophisticated in nature, there was a high level of stealth to the hack, and there is evidence that persistence was maintained over time.
How might this relate to WordPress?
You are not likely to see APT groups targeting WordPress sites unless the site provides them a door that will allow them further access into a restricted network.
What do we currently know about the SolarWinds Orion Hack and SUNBURST malware?
In exploring who might have been the threat actor in the SolarWinds Orion attack, there are a few details that give us an understanding of the attacker’s motive. These facts can point towards a possible threat actor.
What is SolarWinds Orion?
SolarWinds Orion is a network management system designed to make managing corporate networks more seamless by centralizing with all of your network infrastructure management in a single location. The software is developed in a compiled language making it harder to conduct thorough code reviews with each update. This is an important distinction, as it means there would have been some level of trust required to use SolarWinds Orion.
What do we know about the targets?
We know that the malicious copies of SolarWinds Orion were deployed to nearly 18,000 customers. The evidence indicates that after the initial infection, only select customers were targeted for stage two of the attack which consisted of data exfiltration. This included government agencies like the Departments of Treasury, State, Commerce, Energy and Homeland Security along with corporations like Cisco, Microsoft, Cox Communications, VMware and FireEye.
Microsoft also announced that they notified more than 40 customers whose networks were compromised in the second phase of the attackers scheme. This included 30 customers from the United States as well as victims in 7 other countries: Canada, Mexico, Belgium, Spain, United Kingdom, Israel, and UAE.
A recent report by FireEye, a reputable security research firm, declared that the threat actor that gained access to their systems via SolarWinds targeted government agency information and proprietary tools. This indicates that the attacker may have had interest in government affairs and secret information and possibly wanted to use this information to further infiltrate systems.
The Intrusion Vector: Where was it planted?
Currently, we do not have much information about how the threat actors initially gained access to SolarWinds infrastructure to add the malicious updates, however, we do know that the intrusion vector for the organizations impacted by this attack was the malicious updates that were pushed out to customers sometime between March 2020 and June 2020.
We refer to this as a supply chain attack, which is the introduction of malware into a trusted piece of software that organizations are likely to use due to the trust placed in the vendor.
We can speculate that the threat actors likely had a great degree network access and took their time when developing the malicious update. This is certainly an attack that took a long amount of time to develop so that it would go undetected. There is also evidence that indicates the attackers ran a dry run by pushing out an update sometime in 2019 – this indicates that they had a way in and wanted to verify that their methodology in worked prior to any further developments and malicious updates.
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “Solarwinds123.” This FTP account could have made it possible for attackers to upload their malicious files, maintain persistence on SolarWind’s systems, and further pivot into the entirety of SolarWinds’ development systems and build architecture. This is, however, speculative. We cannot definitively identify this as the initial intrusion vector.
The Malware: How does it work?
The malware itself is very clever. After the malicious update was pushed to a customer, it waited dormant for 12-14 days before making its first external call. This was to evade any detection within the first two weeks that organizations might perform monitoring and testing of the software update.
From that point, the malware would do some triage to determine who the target was and whether or not it was viable. This was likely in order to prioritize who the attackers wanted to target for stage two of their attack. If it detected any defense mechanisms and was unable to shut down the defensive processes, it would enable a killswitch and instruct the malware shell to not execute so as to avoid any detection.
The Motive: What has the attacker done?
As of this writing, it appears that most attacks have been attempts to compromise the confidentiality of data by exfiltration. The attack was likely intended to gain information about targets and retrieve data, indicating that this was an espionage-based attack. There is currently no indication that data availability or integrity has been compromised.
Based on what we know, what conclusions can we draw about attribution?
It would be safe to say that the SolarWinds hack was caused by a group of individuals who had a lot of time, resources, and experience with evading detection. We can make a couple hypotheses and assumptions as to who may have been responsible based on the evidence we have.
The motive theory: Exfiltrate sensitive data from important systems including government agencies and large corporations.
Was it a Script Kiddie?
Our probability rating: 0/10
We can very confidently say that this was not the work of a script kiddie. The campaign boasts a lot of complexity and sophistication, with evidence of a very solid foundation of technical knowledge, which is not indicative of a script kiddie and their typical capabilities. Not much analysis is needed to say that this is not the work of a script kiddie.
Was it a Hacktivist?
Our probability rating: 3/10
There is a very slight chance this was the work of a hacktivist threat actor but, there is currently no evidence to indicate that there was any social or political motive. The attackers were exfiltrating data, which could have potentially been used for a social or political agenda since we don’t know exactly what data was being exfiltrated. However, with that being said, there did not appear to be any social or political correlation to the data being exfiltrated
Was it an Insider Threat?
Our probability rating: 5/10
At this time we do not know how the threat actor(s) initially breached the SolarWinds Orion software to introduce the backdoor. Due to the sophistication of the attack and the timeline we have, it is plausible that there was someone working on the inside since there was clear evidence that the threat actors knew how the software and signing process worked for updates.
With that being said, however, the sophistication of the second stage of attacks indicates that this was likely the work of multiple individuals, so while it is possible there was a malicious insider that helped get the job done, it could not have been the work of a single malicious insider.
It is also not possible that this was the result of an insider threat based on error, apart from general issues with the company’s security posture.
Was it a Cybercriminal?
Our probability rating: 7/10
It is very possible this is the work of a cybercriminal or group of cybercriminals. The data being exfiltrated in stage two could be considered highly valuable and likely a prime target for a group of criminals trying to make a profit. In addition, the threat actor employed various techniques to try and evade detection which indicates that the actor had highly criminal intent.
Was it an APT (Advanced Persistent Threat)?
Our probability rating: 10/10
There is significant evidence to indicate that this is the work of an APT. Not only does the data we have point to this conclusion, but also several reputable companies with firsthand data of the breach, like FireEye, have significant evidence to support this. The malware was highly complex and designed to evade detection which is consistent with the work of APTs.
In an interview with Kevin Mandia, CEO of FireEye, he stated that “ the attackers set up an infrastructure to attack FireEye that was wholly unique to attacking FireEye. That takes a lot of maintenance. That takes a lot of coordination. That’s an operation — not just a hack.“ This means that after the initial stage of the compromise, which was the update containing a backdoor, the attackers set up an entire clean infrastructure to attack and exfiltrate data from just FireEye, one of the many organizations that was targeted in the second stage of the attack. This takes significant manpower and resources and indicates that the threat is highly advanced with a lot of resources to achieve their goal, as they may have set up clean infrastructure for each target in their second stage.
Furthermore, there are reports that the attackers were generating SAML tokens on compromised systems in order to maintain persistence, lateral movement, and exfiltrate data from compromised systems.
APTs are often called nation-state threat actors as they are typically groups backed by nation-states and used to conduct espionage. Due to the evidence of the organizations that appear to have been targeted in the second stage of attacks, including large corporations and federal agencies, it’s highly likely this was for the benefit of a nation-state, which some believe may be China or Russia. Initial reports by the Washington Post and the New York times attributed the attack to Russian threat actor APT 29, or “Cozy Bear”, though this has not been confirmed as of today, December 24 2020.
In today’s post, we explored the different threat actor classifications and how these relate to WordPress users as well as took a deeper dive into who may have been responsible for the SolarWinds Orion hack. With all the evidence we have today, the SolarWinds Orion hack was likely the work of an Advanced Persistent Threat (APT), however, without more evidence we can’t definitively identify a known APT. It is possible that it was China, Russia, or another sophisticated hacking group with espionage intentions. FireEye has assigned this threat actor a designation of UNC2452.
WordPress site owners might not require defenses against nation-state APTs. However, understanding the motives and types of threat actors targeting WordPress sites can inform what actions you must take if your site is under attack.
We hope we provided you with enough insight today so that you can better understand who may have been responsible for this attack, as well as how important attribution is for any incident response planning or execution.