Secureworks: A second threat actor that targets SolarWinds flaws by adding backdoors via Orion bugs has characteristics that suggest it is based in China (Catalin Cimpanu/The Record).
Attacks on SolarWinds Servers also linked to Chinese Threat Actor
In December 2020, just days after the huge SolarWinds supply-chain attack was revealed, Microsoft warned of a second threat actor. This actor targeted SolarWinds Orion servers that were installed on customer premises.
Also, read Profile Kaplan Washington DC Meta Biden
The second group of attacks didn’t target the SolarWinds app updates infrastructure. Instead, they exploited an authentication bypass flaw (CVE-20210148) in the SolarWinds Orion API and installed web shells on Orion servers.
SUPERNOVA was the web shell codenamed SUPERNOVA. It allowed threat actors to gain access to company networks and steal data.
The Cybersecurity and Infrastructure Security Agency and Palo Alto Networks didn’t link the malware to the threat group behind SolarWinds’ supply chain attack. However, the US government-linked Russia to the report at the same time and said that any exploitation occurred in tandem with the larger and more intrusive supply chains attack.
Secureworks solves the SUPERNOVA mystery
Secureworks, a cybersecurity firm, said in a report that it discovered links between SUPERNOVA malware attacks and those carried out last August against Zoho ManageEngine servers. Secureworks used, a zero-day published by Twitter.
Secureworks stated that it is tracking the threat actor under the codename Spiral and that the “characteristics” of the activity indicate that the group is based out of China.
Secureworks today stated that there are similarities between SUPERNOVA-related activity in Nov [against Orion server] and activity that CTU researchers analyzed in August [against Zoho server] which suggests that both intrusions were caused by the SPIRAL threat organization. These intrusions may have been connected to China, according to the “Characteristics”.
Secureworks didn’t specifically mention if the Spiral group was affiliated with Chinese government-backed cybersecurity operations, or if it is simply your normal cybercrime outfit looking for access, plunder or ransom corporate environments.