News

Microsoft Drops 'Solorigate' for 'Nobelium' in Ongoing SolarWinds Attack Investigations

• By Kurt Mackie
• 03/05/2021

Microsoft this week described "three new pieces" of malware that were used in the SolarWinds Orion espionage attacks dubbed "Solorigate," although Microsoft security researches are now calling it "Nobelium."

These three malware elements were customized for specific kinds of networks and "may have been on compromised systems as early as June 2020," the announcement indicated. The malware, called "GoldMax," "Sibot" and "GoldFinder," only take action after a network is compromised, kicking off another stage of the attack.

Nobelium Malware
Here's what the malware does, in a nutshell:

• GoldMax, written in the Go language, serves as a "command-and-control backdoor" for the attacker, who can customize its configuration. It creates decoy traffic to disguise its operations.
• Sibot, written using VBScript, permits attackers to download and execute payloads from a remote command-and-control server. It uses file names that mimic Windows file names.
• GoldFinder, written in Go, "can identify all HTTP proxy servers and other redirectors" in a network in order to reach the attacker's outside command-and-control center.

Previously, Microsoft's preferred descriptor for these attacks, which targeted government agencies and software companies, was "Solorigate." The Solorigate term referred specifically to the initial supply-chain software implant that tainted SolarWinds' Orion management software at the build stage.

Other researchers and SolarWinds itself didn't use the Solorigate term and instead referred to this initial software component as "Sunburst." Later, it was discovered that other methods besides this software implant were used by the attackers to compromise networks and gain access to e-mail traffic.

A secondary element employed by this advanced persistent threat (APT) group drops a Cobalt Strike tool that connects to an outside command-and-control server. This secondary element often gets called "Teardrop" by security researchers, although there's said to be a "Raindrop" variant.

In any case, researchers at the Microsoft Threat Intelligence Center are now using the Nobelium label to refer to both the APT actor and its attack tools.

"Microsoft Threat Intelligence Center (MSTIC) is naming the actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM," the announcement explained.

The change in nomenclature is already in effect at the Microsoft Security Response Center's landing page for the SolarWinds Orion investigations. That page gets updated with Microsoft's latest information about the attacks.

Nation-State Attacker
Nobelium is a radioactive element, and element names get used by Microsoft's security researchers to refer to nation-state actors. While Russia has been named as a suspect in the SolarWinds Orion attacks, Microsoft's announcement stopped short of associating Nobelium with Russia.

Last year, Microsoft published a chart showing Russia as having "Krypton," "Strontium," and "Yttrium" cyberattack groups, as found in this Microsoft announcement.

Microsoft noted that it is continuing to research the attack in conjunction with software security solutions firm FireEye. It was FireEye that first discovered the attacks. The attacks affected on-premises servers to gain access to Microsoft 365 e-mail services. In Senate testimony, Microsoft President Brad Smith credited FireEye for being the first to alert Microsoft to the attacks, which went undetected on servers.

Even though FireEye and Microsoft are collaborating, they still use different names to describe the attacks. FireEye refers to the APT group in the SolarWinds Orion attacks as "UNC2452," not Nobelium.

This week, FireEye published its own analysis of a "second-stage backdoor written in GoLang" associated with the SolarWinds Orion attacks. The backdoor, called "Sunshuttle" by FireEye, appears to be similar to Microsoft's GoldMax backdoor.