Security Market Segment LS
Friday, 23 April 2021 09:04

SolarWinds: use of US infrastructure kept NSA out of probe, claims RiskIQ Featured

SolarWinds: use of US infrastructure kept NSA out of probe, claims RiskIQ Image by Clker-Free-Vector-Images from Pixabay

The use of infrastructure based in the US by the attackers in the first stage of the SolarWinds supply chain compromise is one factor which has inhibited the investigation into the incident, as this meant it was effectively blocked from being pursued by the NSA, the security firm RiskIQ says.

In a blog post, the company's Team Atlas said the other factor that could have blocked the progress of the investigation beyond the second, more targeted stage was the attackers' skill in not leaving a trail of patterns that were normally identified and tracked by threat hunters.

On 16 April, the US Government alleged that the Russian security agency known as the Foreign Intelligence Service was responsible for the attack.

To date, no cyber security company, including FireEye, the firm that first made the SolarWinds compromise public, has attributed the attack to any country.

The attack came to light in December last year, when FireEye publicised the compromise, five days after having revealed that its own Red Team tools had been stolen.

RiskIQ claimed while the espionage campaign itself was progressing, "public-facing research into the campaign is not".

"That’s in part because piecing together what happened so far is exceptionally challenging," the company's researchers wrote. "The threat actor, identified by the US government as APT29, but tracked in the private industry as UNC2452, took great pains to avoid creating the type of patterns that make tracing them easy.

"For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them."

A large part of the RiskIQ post covered material that has already been ventilated, with companies like FireEye, Microsoft and Volexity issuing briefs since the initial exposure by FireEye.

The post said a review of all the previously published indicators of compromise had led to its researchers noticing that a majority of SSL certificates used were issued by Sectigo (formerly Comodo CA).

"Additionally, they were all of a particular class called 'PositiveSSL' which costs about US$11 (A$14.3) a year per domain," the post said. "The issue date of the certificates otherwise known as 'Not Before' in x509 terminology was often more than a week prior to when the certificate itself was deployed in the wild. Or in several cases more than 40 days later."

However, a search for all the certificates issued by Sectigo brought up 334,053 results and this was too many to be useful.

The RiskIQ team then looked at finding patterns from HTTP banner responses using previously identified domains and IP addresses, as Volexity had done.

Collating this data, RiskIQ said it had managed to find a number of additional domains that could be connected to the attacks.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News