New data suggests that Russia wasn’t the only nation-state hacking customers.

By now, most people know that hackers tied to the Russian government compromised the SolarWinds software build system and used it to push a malicious update to some 18,000 of the company’s customers. On Monday, researchers published evidence that hackers from China also targeted SolarWinds customers in what security analysts have said was a distinctly different operation.

The parallel hack campaigns have been public knowledge since December, when researchers revealed that, in addition to the supply chain attack, hackers exploited a vulnerability in SolarWinds software called Orion. Hackers in the latter campaign used the exploit to install a malicious web shell dubbed Supernova on the network of a customer who used the network management tool. Researchers, however, had few if any clues as to who carried out that attack.

On Monday, researchers said the attack was likely carried out by a China-based hacking group they’ve dubbed “Spiral.” The finding, laid out in a report published on Monday by Secureworks’ Counter Threat Unit, is based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise the researchers discovered in the same network.

Pummeled on more than one front

The finding comes on the heels of word that China-based hackers dubbed Hafnium are one of at least five clusters of hackers behind attacks that installed malicious web shells on tens of thousands of Microsoft Exchange servers. Monday’s report shows that there’s no shortage of APTs—shorthand for advanced persistent threat hackers—determined to target a wide swath of US-based organizations.

“At a time when everyone is hunting for HAFNIUM webshells because of the Exchange zero-days we learned about last week, SPIRAL’s activity is a reminder that enterprises are getting pummeled on more than one front,” Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne, said in a direct message. The report is “a reminder of the diversity and breadth of the APT ecosystem.”

Counter Threat Unit researchers said they encountered Supernova in November as they responded to the hack of a customer’s network. Like other malicious web shells, Supernova got installed after the attackers had successfully gained the ability to execute malicious code on the target’s systems. The attackers then used Supernova to send commands that stole passwords and other data that gave access to other parts of the network.

Secureworks CTU researchers already believed that the speed and surgical precision of the movement inside the target’s network suggested that Spiral had prior experience inside it. Then, the researchers noticed similarities between the November hack and one the researchers had uncovered in August 2020. The attackers in the earlier hack likely gained initial access as early as 2018 by exploiting a vulnerability in a product known as the ManageEngine ServiceDesk, the researchers said.

“CTU researchers were initially unable to attribute the August activity to any known threat groups,” the researchers wrote. “However, the following similarities to the SPIRAL intrusion in late 2020 suggest that the SPIRAL threat group was responsible for both intrusions:”

  • The threat actors used identical commands to dump the LSASS process via comsvcs.dll and used the same output file path (see Figure 6).
    LSASS process dump from August 2020 using an identical command to the November 2020 incident.
    Enlarge / LSASS process dump from August 2020 using an identical command to the November 2020 incident.
  • The same two servers were accessed: a domain controller and a server that could provide access to sensitive business data.
  • The same ‘c:userspublic’ path (all lowercase) was used as a working directory.
  • Three compromised administrator accounts were used in both intrusions.

The CTU researchers already knew that Chinese hackers had been exploiting MangeEngine servers to gain long-term access to networks of interest. But that alone wasn’t enough to determine Spiral had its origins in China. The researchers became more confident in the connection after noticing that the hackers in the August incident accidentally exposed one of their IP addresses. It was geolocated to China.

The hackers exposed their IP address when they stole the endpoint detection software Sercureworks had sold to the hacked customer. For reasons that aren’t clear, the hackers then ran the security product on one of their computers, at which point it exposed its IP address as it reached out to a Secureworks server.

The naming convention of the hackers’ computer was the same as a different computer that the hackers had used when connecting to the network through a VPN. Taken together, the evidence collected by CTU researchers gave them the confidence that both hacks were done by the same group and that the group was based in China.

“Similarities between SUPERNOVA-related activity in November and activity that CTU researchers analyzed in August suggest that the SPIRAL threat group was responsible for both intrusions,” CTU researchers wrote. “Characteristics of these intrusions indicate a possible connection to China.”