The SolarWinds Supply Chain Attack (APT29)
The SolarWinds Orion supply chain attack, which took place in late 2020, was a massive and sophisticated APT attack attributed to APT29 (also known as Cozy Bear), a Russian state-sponsored hacking group. This attack targeted government agencies, corporations, and critical infrastructure by compromising a legitimate software update to SolarWinds' Orion network monitoring platform. The attackers used this backdoor to gain persistent access to the networks of high-profile organizations for espionage and data exfiltration.
Although NetFlow data alone may not have been the sole detection method, it was a critical part of identifying unusual traffic patterns during the attack’s later stages.
Step-by-Step Breakdown of How NetFlow Was Used in Detecting APT29 (Cozy Bear)
Step 1: The Initial Compromise via SolarWinds Orion Software
- SolarWinds Orion is a network monitoring software used by thousands of government agencies and private organizations.
- APT29 injected malicious code into a SolarWinds Orion update, which was then distributed to customers. When the software was updated, it provided the attackers with backdoor access to internal networks, without triggering traditional signature-based defenses.
- This backdoor, known as SUNBURST, allowed attackers to establish Command-and-Control (C2) channels and communicate with compromised systems within organizations.
Step 2: Detecting Abnormal Network Traffic Using NetFlow
After the initial compromise, APT29’s backdoor allowed them to maintain persistent access and move laterally across the network. They used encrypted communication to avoid detection by traditional security tools. This is where NetFlow data played an important role.
- Unusual Outbound Traffic:
- Data Exfiltration Attempts:
- Lateral Movement:
- Persistent Traffic Over Time:
Step 3: Correlation with Other Data Sources
- After detecting anomalies in NetFlow, the Security Operations Center (SOC) team began correlating the NetFlow data with other logs from their IDS/IPS systems, firewalls, and endpoint detection tools.
- This multi-source correlation confirmed that the traffic was not only unusual but also linked to a known APT group (APT29), as external threat intelligence feeds identified the external IPs used by the attackers as being associated with Cozy Bear.
Step 4: Blocking C2 Communication
- Once NetFlow data helped identify the malicious C2 server, the security team quickly blocked communication between the internal systems and the attacker's infrastructure.
- They also implemented stricter network segmentation and access control to prevent the attacker from spreading further within the network.
Step 5: Investigating the Attack and Mitigating Damage
- The SOC team used the NetFlow data, along with other forensic evidence from endpoint detection systems and intrusion detection systems, to conduct a post-mortem analysis of the breach.
- The investigation revealed that the attacker had used the SUNBURST backdoor to:Gain unauthorized access to sensitive files and data.Conduct lateral movement across the organization’s internal network.Exfiltrate data to external servers controlled by the attackers.
- The organization then patched the SolarWinds vulnerability, removed all traces of the attacker from the network, and enhanced its monitoring systems.
Key Takeaways:
- NetFlow data was crucial in detecting the APT29 attack, particularly because it flagged abnormal patterns of outbound encrypted traffic and persistent communication to external servers that were unusual for the organization.
- The encrypted C2 traffic and lateral movement observed in NetFlow were clear indicators that the attackers were using stealthy methods to establish persistence in the network.
- NetFlow was a key part of a broader strategy that combined multiple security technologies, such as SIEM systems, IDS/IPS, and endpoint security tools, to detect and mitigate the SolarWinds attack.
- Slow exfiltration via C2 traffic detected in NetFlow data allowed security teams to correlate and identify the attack long before large-scale data loss occurred.
Conclusion:
The SolarWinds APT29 attack is a clear example of how NetFlow can be an effective tool in detecting an Advanced Persistent Threat (APT). While the attackers used sophisticated encrypted communication to avoid traditional detection mechanisms, NetFlow analysis identified the persistent, anomalous traffic patterns associated with C2 communication and data exfiltration. This early detection via NetFlow was crucial in minimizing the damage and responding to the attack before it spread further across the network.
