By now, most people know that hackers tied to the Russian government compromised the SolarWinds software build system and used it to push a malicious update to some 18,000 of the company’s customers. On Monday, researchers published evidence that hackers from China also targeted SolarWinds customers in what security analysts have said was a distinctly different operation.
The parallel hack campaigns have been public knowledge since December, when researchers revealed that, in addition to the supply chain attack, hackers exploited a vulnerability in SolarWinds software called Orion. Hackers in the latter campaign used the exploit to install a malicious web shell dubbed Supernova on the network of a customer who used the network management tool. Researchers, however, had few if any clues as to who carried out that attack.
On Monday, researchers said the attack was likely carried out by a China-based hacking group they’ve dubbed “Spiral.” The finding, laid out in a report published on Monday by Secureworks’ Counter Threat Unit, is based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise the researchers discovered in the same network.
Pummeled on more than one front
The finding comes on the heels of word that China-based hackers dubbed Hafnium are one of at least five clusters of hackers behind attacks that installed malicious web shells on tens of thousands of Microsoft Exchange servers. Monday’s report shows that there’s no shortage of APTs—shorthand for advanced persistent threat hackers—determined to target a wide swath of US-based organizations.
“At a time when everyone is hunting for HAFNIUM webshells because of the Exchange zero-days we learned about last week, SPIRAL's activity is a reminder that enterprises are getting pummeled on more than one front,” Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne, said in a direct message. The report is “a reminder of the diversity and breadth of the APT ecosystem.”
Counter Threat Unit researchers said they encountered Supernova in November as they responded to the hack of a customer’s network. Like other malicious web shells, Supernova got installed after the attackers had successfully gained the ability to execute malicious code on the target’s systems. The attackers then used Supernova to send commands that stole passwords and other data that gave access to other parts of the network.