SolarWinds Compromise: Insights Into The Attacker Domain Infrastructure

Many details regarding the compromise of network monitoring software vendor SolarWinds have come to light, but key details are still emerging. HYAS was privately invited to analyze data relating to the initial command and control infrastructure used during the compromise, and uncovered new information. This blog provides details about the registration and creation of the malicious domain infrastructure used to control potentially thousands of computer systems compromised during the months-long SolarWinds breach. 

The domain avsvmcloud[.]com used for command and control (C2) during the compromise was purchased using Bitcoin. The Bitcoin wallet was initially funded from a wallet attached to an exchange in Singapore, and then all of the funds spent to zero out the balance. The Bitcoin wallet was never used again. 

The threat actor took multiple steps to mask the domain ownership and make the domain registration appear to originate from Italy. The threat actor registered the domain using an Italian identity that contained multiple elements. The name, address, and phone number used to register the domain were all real, however the various pieces of information were unrelated to each other, and likely unrelated to the actor. The actor also compromised a system with an Italian IP address so all of the internet traffic used to register and update the malicious domain originated from Italy. All of these steps would escape notice and avoid raising suspicion. 

This host in Italy that registered the domain appears to have been compromised using a Remote Desktop Protocol (RDP) vulnerability that was exploited by the adversary. A scan of the Italian IP address shows that port 3389 (TCP/RDP) is open and that the system is running Windows Server 2012 R2 which is currently logged in as Administrator. The attacker could have compromised the system using guessed, stolen or purchased credentials. This particular host has a history of hosting malware (link requires registration) and has been used for multiple malicious purposes. 

Bitcoin exchange users tend to find and use exchanges that are localized in their own language. Criminals using Bitcoin tend to avoid exchanges that are known to comply with law enforcement requests. The transactions used to purchase the C2 domain were funded by an exchange based in Singapore called Cointiger. While at first blush one might think the threat actor was located in Asia, that could be an adversary trying to cover their tracks or redirect attention. HYAS analysts frequently observe criminal enterprises cashing out illicit Bitcoin from ransoms and other illicit activities at Huobi and Binance cryptocurrency exchanges, but find the Cointiger exchange to be a far less common destination.

The C2 domain avsvmcloud[.]com established over two years prior to the active compromise of SolarWinds Orion that started in March 2020. After being registered, it was subsequently moved from the initial registrar to GoDaddy (the current domain registrar for the malware C2 server).  

The adversary behind the SolarWinds compromise demonstrated exceptional operational security (OPSEC) discipline. For example, the malware used in the attack can lie dormant for up to two weeks before beaconing out to C2 infrastructure. And as described above, the steps taken to cloak the origins of the attack infrastructure indicate a threat actor who is careful, methodical, patient and meticulous. 

HYAS continues to analyze and investigate the data that has been shared with us. We intend to report on any related malicious infrastructure as we research and validate the information. 

This information was gathered through the efforts of HYAS Intelligence Services and informed by HYAS Insight. To learn more about HYAS Insight, click on Get a Demo.

Back to Blog