Secureworks: The second threat actor who targets SolarWinds flaws through Orion bugs backdoors has characteristics that indicate the group is based in China (Catalin Cimpanu/The Record).
Attacks on SolarWinds Servers Are Also Linked To Chinese Threat Actor
In December 2020, days following the massive SolarWinds supply chains attack, Microsoft warned that a second threat actor was targeting SolarWinds Orion server installations on customer premises.
This second group did not attempt to compromise the SolarWinds app infrastructure. They instead exploited a CVE-2020-10148 authentication bypass vulnerability in the SolarWinds Orion API, which allowed them to install web shells on Orion servers of companies.
Also, read INSIDE BITCLOUT TWITTER 170M ROBERTS DECRYPT
SUPERNOVA was codenamed the web shell. This allowed attackers to steal data from the company’s internal networks.
Reports by the Cybersecurity and Infrastructure Security Agency and Palo Alto Networks at that time did not link this malware with the threat group behind SolarWinds supply-chain attack. The US government had formally linked Russia and described any exploitation of the attack as occurring in parallel to the wider and more intrusive supply-chain attack.
Secureworks solves the SUPERNOVA mystery
Secureworks published a report today in which it said that it discovered links between SUPERNOVA malware and attacks last August on Zoho ManageEngine servers. Secureworks is also used as a zero-day publication on Twitter.
Secureworks claimed it was tracking this threat actor using the codename Spiral. It also stated that “characteristics suggest that the group is located in China.”
Secureworks stated today that “Similarities in SUPERNOVA-related activity [against Orion Servers] in November and activity that CTU researchers examined in August [against Zoho Servers] suggest that the SPIRAL Threat Group was responsible for both intrusions.” These intrusions could be linked to China.
Secureworks did not specify if the Spiral Group was associated with Chinese government-backed cyber operations. Or if they are just regular cybercrime outfits looking to access, plunder and ransom corporate environments.