Second SolarWinds Attack Group Breaks into USDA Payroll — Report

solarwinds supernova attack usda

A second APT, potentially linked to the Chinese government, could be behind the Supernova malware.

There had been hints that a second group of malicious actors may have exploited a SolarWinds bug to install the Supernova backdoor — notably, there was a conclusion by Microsoft back in December that this was the case. Now, sources told Reuters that there’s indeed evidence that a separate advanced persistent threat (APT), likely China-backed, is behind the malware.

Reuters reported that the group targeted a Department of Agriculture payroll system, called the National Finance Center (NFA). According to Reuters, the APT’s infrastructure used in the USDA attack matches that known to be deployed by government-backed Chinese actors.

The group used a “separate vulnerability” from the Sunburst backdoor that was at the heart of the sprawling espionage campaign that came to light in December, according to Reuters. That original effort (a Russian APT is believed to be responsible) used trojanized software updates for the SolarWinds Orion network-management platform to disseminate the Sunburst malware to SolarWinds customers in a supply-chain attack. The threat actors then used that initial compromise to perform follow-on espionage attacks on selected targets.

SolarWinds confirmed that the new APT offensive was not a supply-chain attack; instead, the cyberattackers exploited a software vulnerability in Orion after it was installed in targets’ networks, in order to install the backdoor called Supernova. It was originally discovered in December, and Microsoft noted at the time that because the malware didn’t match the fingerprints of the Sunburst attack, Supernova may have originated from another APT group.

“The customer’s network was compromised in a way that was unrelated to SolarWinds,” a SolarWinds-provided statement said. “That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer’s network. We are aware of one instance of this happening and there is no reason to believe these attackers were inside the SolarWinds environment at any time. This is separate from the broad and sophisticated attack that targeted multiple software companies as vectors.”

Supernova is malware designed to appear to be part of a SolarWinds product. According to a SolarWinds advisory, it consists of two components.

“The first was a malicious, unsigned webshell DLL, ‘app_web_logoimagehandler.ashx.b6031896.dll,’ specifically written to be used on the SolarWinds Orion platform. The second is the utilization of a vulnerability in the Orion platform to enable deployment of the malicious code. This vulnerability in the Orion platform has been resolved in the latest updates.”

It should be noted that there is some question about the exact nature of the USDA cyberattack. First, a USDA spokesman told Reuters, “USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion code compromise.”

But, after Reuters published its story, it was updated with a follow-up statement from USDA correcting its earlier response, adding “there was no data breach related to SolarWinds.”

Threatpost has reached out for clarification.

Nation-State ‘Surfing’

The two SolarWinds-based attacks weren’t coordinated, but rather done in parallel with one another, which former U.S. Chief Information Security Officer Gregory Touhill told Reuters was common. He said this isn’t the “first time we’ve seen a nation-state actor surfing behind someone else,” which suggests that the Supernova attack group may have been aware of what the Russian APT was doing.

USDA’s hack brings the tally of compromised federal agencies related SolarWinds to at least seven. Six previously breached by the Russians include the Departments of Energy, Homeland Security, Treasury, Commerce, Defense and the National Institute of Health.

Reuters added that its reporting could not establish the full scope of the Supernova attack.

Sunburst APT Infiltrated SolarWinds in 2019

Starting in Feb. 2020, a Russian APT used Sunburst-laden product updates that were pushed out to more than 18,000 SolarWinds customers all over the world. There they lurked for nine months waiting for the right time to strike with follow-on attacks.

The Wall Street Journal reported this week that there is new evidence the Russian attackers were present in SolarWind’s Office 365 email system well before that — since December 2019.

“Some email accounts were compromised,” SolarWinds’ new CEO Sudhakar Ramakrishna told the outlet. “That led them to compromise other email accounts and as a result our broader (Office) 365 environment was compromised.”

The nation-state backed adversaries didn’t just target government agencies; they also attacked security vendors, including CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Qualys. Many of these targets were fortunately able to avoid compromise, such as CrowdStrike.

Aftermath: Biden Earmarks $10B for Cybersecurity

The new Biden administration has pledged additional resources to shore up the U.S. government’s cybersecurity efforts, earmarking a $10 billion down payment to expand Cybersecurity and Infrastructure Security Agency (CISA). The SolarWinds cleanup will be a first priority. Tom Kellerman, researcher with VMWare Carbon Black, calls it a good “down payment.”

“That number should probably be about $100 billion over time,” said Kellermann. “And I hope that there’s a classified cybersecurity spend that exceeds that, in a classified… military appropriation budget.”

While government agencies continue to find out just how deep, wide and devastating the SolarWinds breach really was, this incident should serve as a warning to every system administrator across the world about proper security hygiene, researchers said.

“It’s not surprising to see China — or any adversary with strong forensic and coding capabilities — working to discover and exploit flaws in any software that touches sensitive information such as payroll,” Rosa Smothers, a former CIA threat analyst and current vice president at KnowBe4 said via email. “SolarWinds released a patch in December to repair this vulnerability, which reinforces what we’ve said all along: Patch your systems early and often.”

Further Reading:

Suggested articles