Hacker writing code for malware showing second hacking team targeting SolarWinds

Microsoft Discovers A Second Hacking Team Exploiting SolarWinds Orion Software

Microsoft’s security research blog says that a second hacking team distinct from the Russian SolarWinds hacking group also targeted the Texas-based software company since the beginning of the year.

The new malware that also affects the SolarWinds Orion platform was named SUPERNOVA. The discovery of the new hacking team suggests that multiple threat actors conducted parallel attacks on SolarWinds unaware of each other.

The second hacking team operated independently from the reportedly Russian hackers

Microsoft detected a second malware that imitates SolarWinds’ Orion product but was not digitally signed, unlike in the other attack, suggesting this second group of hackers did not share access to SolarWinds’ internal network.

Details were unclear whether SUPERNOVA exploits were deployed against any targets in the wild, including customers of SolarWinds’ Orion products.

Consequently, the new hacking team could have independently targeted SolarWinds’ customers initially targeted by the Russian state-sponsored hacking team.  Additional information also shows that the second malware was created in late March, based on the malware file’s build time.

This discovery posits that the two campaigns ran parallel to each other during the period when the first SolarWinds breach was detected. However, Microsoft discovered no evidence of collaboration, thus suggesting that the attackers may have duplicated their efforts to breach SolarWinds’ internal systems.

Additionally, the second hacking team could have originated from Russia or a different country seeking high-valued information from the United States, such as China, North Korea, Iran, among others.

The attack resembles the hacking of the Democratic National Committee (DNC) servers in 2016. During the DNC server breach, threat detection firm CrowdStrike reported that two Russian hacking teams Fancy Bear and Cozy Bear independently breached the party’s systems.

SolarWinds acknowledges the existence of the second hacking team

In a statement, a SolarWinds spokesman said that the company was “in the early days of investigation” of the subsequent breach. He also promised that the company “remains focused on collaborating with customers and experts to share information” and address SUPERNOVA.

Within a few days, SolarWinds has transitioned from being a household name to one of the most dreaded companies associated with one of the most notorious cyber espionage campaigns in the history of the United States and the world.

Most companies have already deactivated the affected Orion software, and many affected organizations will likely avoid SolarWinds’ products altogether.

The company is also likely to face stiff penalties from data regulators, predicting a gloomy future of the once-respected software company.

The intrusions originating from SolarWinds data breaches could also take years to detect, given that the hacking teams accessed highly-sensitive information over a long period.

Similarly, given the nature and the sheer amount of the stolen information, the effects of SolarWinds’ breach could be impossible to determine for many years to come.