Microsoft: A 2nd Group May Have Also Breached SolarWinds

A ‘different threat actor’ may be responsible for the malware known as Supernova that has been found installed in SolarWinds Orion.


An investigation suggests that more than one group has installed a malicious backdoor into the SolarWinds Orion network monitoring platform, with the malware apparently “unrelated” to the initial supply chain compromise, Microsoft disclosed.

In a blog post by the Microsoft 365 Defender Research Team, the company reported that a “different threat actor” appears to be responsible for installing the malware that some researchers have referred to by the name Supernova.

[Related: Microsoft Breached Via SolarWinds As Scope Of Destruction Widens: Report]

Sponsored post

Microsoft does not refer to the backdoor by any certain name, and declined to comment further after a request from CRN. Analyses from Palo Alto Networks, Symantec and other researchers have been using the name Supernova for the malware in question.

But those earlier analyses did not raise the possibility that a second group—separate from the suspected Russian hackers behind the initial compromise of SolarWinds—was responsible for Supernova.

Microsoft’s research team mentions the finding at the very end of its blog post from Friday afternoon, calling the discovery “an interesting turn of events.”

“The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” the Microsoft research team said in the post.

The malware is a small backdoor—specifically, a DLL file—that can enable remote code execution via the SolarWinds’ web application server, according to the post.

Unlike the previously reported SolarWinds breach, “this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise,” Microsoft said in the post.

A message to SolarWinds asking about the Microsoft report did not receive an immediate response Monday.

The revelation that a second group may have succeeded at breaching SolarWinds obviously makes the situation even more troubling, said Dave Mahoney, enterprise services architect at Blue Bell, Pa.-based Anexinet, No. 212 on CRN’s Solution Provider 500.

While an often-repeated maxim about security is that there are two types of companies—those who’ve been hacked, and those who’ve been hacked but don’t know it yet—SolarWinds actually falls into both categories right now, Mahoney said.

“If there’s one [backdoor] in there, that’s one thing. But now that there’s two—and somebody else is finding these things and not them--that shows a significant lack of control as far as I’m concerned,” he told CRN on Monday. “If there are two, could there be more? Sure.”

Ultimately, for SolarWinds, “I think they need to start having some very serious forensic analysis done of their network and perimeter security. And they need to start taking a look at what they can do to get their development operations tightened up and secure,” Mahoney said.

Microsoft, meanwhile, is also among the high-profile companies impacted by the initial SolarWinds attack. Media reports and company messages have focused on Office 365, Azure Active Directory and a key domain name as the main targets. Multiple victims of the SolarWinds attack have reportedly had their Office 365 accounts broken into.

However, in a statement to CRN last week, Microsoft said that “we have not found evidence of access to production services or customer data” resulting from the SolarWinds breach.

“Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” Microsoft’s statement said.

Other companies that were hit with the initial SolarWinds malware include FireEye—which first disclosed the breach on Dec. 13—as well as Cisco Systems and VMware. The Wall Street Journal reported Monday morning that Intel, Nvidia, Belkin International and Deloitte Consulting are also among the affected companies.

The attack has also led to breaches at U.S. government agencies including the Treasury and Commerce Departments as well as the Departments of Defense, State, Energy and Homeland Security.

Still, only 50 of the 18,000 organizations who installed malicious SolarWinds Orion code into their network were “genuinely impacted” by the campaign, FireEye CEO Kevin Mandia said on Sunday.

“It’s important to note everybody says this is potentially the biggest intrusion in our history,” Mandia said Sunday on CBS’ Face the Nation. “[But] the reality is the blast radius for this, I kind of explain it with a funnel … It’s probably only about 50 organizations or companies, somewhere in that zone that’s genuinely impacted by the threat actor.”

Mandia stopped short in attributing the campaign to Russia’s foreign intelligence service (SVR), also known as APT29 or Cozy Bear, which was first reported by The Washington Post on Dec. 13.

Mandia told CBS that there’s “definitely a nation” behind the attack, and acknowledged that “this is an attack very consistent with” what the SVR is known for, but didn’t want to officially blame the attack on them.