|
The SolarWinds hack affected several government agencies and tech companies in the U.S. and worldwide. The sophisticated malware attack is believed to have compromised the trusted IT management software as early as March 2020 but only came to light in December.
Owing to the scale of the breach, several cybersecurity organizations, principally FireEye and other companies such as Open Source Context, released lists of indicators of compromise (IoCs). You can view the IoCs from FireEye here and those from Open Source Context here.
Using our domain intelligence sources, we analyzed these IoCs and uncovered more artifacts. Here are the results of our analysis.
FireEye and Open Source Context yielded a total of 18 domain names listed below:
One of the first things that stood out when we reviewed the list of IoCs is that no brand or company name was used. Instead, they used generic terms such as “seo,” “web,” “cloud,” “database,” and “virtual.”
A majority of the IoCs, 14 out of 18 to be exact, were first registered more than five years ago, based on their historical WHOIS data. Three domains were created in 2019 and were a few months old when the attack started in March 2020, while one domain was created in 2018.
The domain age could be a factor behind the SolarWinds breach’s success, as none of the IoCs were newly registered domains (NRDs). Threat actors know that most cybersecurity systems would usually flag NRDs.
While they were not involved in the attack, the domains’ registrars can help prevent the attack from spreading by taking them down. Seven registrars were involved in the registration of the IoCs since 1 June 2019. They are listed below, along with the number of WHOIS records associated with each of them.
Registrar | Number of WHOIS Records |
---|---|
NameSilo, LLC | 89 |
NameCheap, Inc. | 36 |
GoDaddy.com, LLC | 11 |
Epik, Inc. | 10 |
Draftpick Domains LLC | 4 |
Stichting Registrar of Last Resort Foundation | 3 |
Key-Systems GmbH | 3 |
It should also be noted that NameSilo is among the top 10 most-abused registrars, with a badness index of 1.68.
We found close to 70 additional domains that match the exact words of 12 of the IoCs through Domains & Subdomains Discovery using different top-level domains (TLDs):
Original Domain List | Additional Domains from WhoisXML API |
---|---|
avsvmcloud[.]com | avsvmcloud[.]net avsvmcloud[.]org |
digitalcollege[.]org | digitalcollege[.]art digitalcollege[.]asia digitalcollege[.]ca digitalcollege[.]co digitalcollege[.]co[.]il digitalcollege[.]co[.]in digitalcollege[.]co[.]uk digitalcollege[.]com digitalcollege[.]com[.]au digitalcollege[.]com[.]br digitalcollege[.]de digitalcollege[.]eu digitalcollege[.]fr digitalcollege[.]in digitalcollege[.]info digitalcollege[.]jp digitalcollege[.]kz digitalcollege[.]london digitalcollege[.]net digitalcollege[.]nl digitalcollege[.]org[.]uk digitalcollege[.]re digitalcollege[.]ru digitalcollege[.]top digitalcollege[.]uk digitalcollege[.]us digitalcollege[.]xyz |
freescanonline[.]com | freescanonline[.]xyz |
highdatabase[.]com | highdatabase[.]email |
kubecloud[.]com | kubecloud[.]ch kubecloud[.]co kubecloud[.]co[.]uk kubecloud[.]de kubecloud[.]dev kubecloud[.]io kubecloud[.]net kubecloud[.]nl kubecloud[.]org kubecloud[.]site |
lcomputers[.]com | lcomputers[.]co[.]za lcomputers[.]info |
panhardware[.]com | panhardware[.]com[.]my |
solartrackingsystem[.]net | solartrackingsystem[.]com |
virtualdataserver[.]com | virtualdataserver[.]ws |
webcodez[.]com | webcodez[.]de webcodez[.]net webcodez[.]pro |
websitetheme[.]com | websitetheme[.]biz websitetheme[.]club websitetheme[.]com[.]au websitetheme[.]co[.]uk websitetheme[.]download websitetheme[.]in websitetheme[.]info websitetheme[.]net websitetheme[.]org websitetheme[.]shop websitetheme[.]site websitetheme[.]store websitetheme[.]tk websitetheme[.]uk websitetheme[.]us websitetheme[.]win websitetheme[.]xyz |
zupertech[.]com | zupertech[.]xyz |
Expanding the search to include fuzzy matches, 4,673 additional artifacts were found, indicating that the domains used by the threat actors were indeed very generic.
WHOIS history records also revealed that the IoCs had undergone several nameserver changes, signifying numerous website relocation events to different hosting providers. On average, the 18 domains changed nameservers 3.758 times over the past two years, and all of them changed nameservers at least two times during the same time period. Of the 70 artifacts we found, 11% have changed nameservers more than twice.
Based on the analysis, the SolarWinds IoCs had several things in common:
Security teams can better explore the artifacts and check for similar characteristics. Knowing what to look for can help them better protect their systems from attacks similar to the SolarWinds hack.
Are you a security researcher, architect, or product developer working on the world’s biggest security issues? Contact us for more information on the potentially suspicious domains and other assets mentioned in this post, security research initiatives, and any other ideas for collaboration.
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC