Cybercriminals who hacked Texas-based software maker SolarWinds conducted a mock attack last year to test their capabilities. They began distributing third-party files from SolarWinds networks back in October 2019 – five months before victims downloaded malicious updates for the Orion platform. These files were sent on October 10 and did not contain any backdoors.
A source close to the investigation told Yahoo News that the cybercriminals wanted to test whether their chosen method of attack would work and be able to “crank” it unnoticed.
“They were in no hurry. They decided not to use the backdoor right away. This means that they have become a little more disciplined and aware, ”the source said.
In October, files were found on several victims’ systems, but investigators saw no further malicious activity. However, five months later, hackers downloaded additional malicious files to SolarWinds update servers, which then entered the systems of government agencies and other organizations. These files installed a backdoor that allows attackers to gain access to attacked systems. Once inside the infected network, hackers could use SolarWinds software to learn about the structure of the network or change the configuration of network systems. In addition, they could hack into other systems on the network and download new malicious files.
The first information security company FireEye reported on the hacking of its systems on December 8 this year. However, the new 2019 file information expands on the previously presented intrusion schedule and indicates that hackers hacked into SolarWinds’ software update system at least five months earlier than anticipated.
“This indicates that attackers had access to the SolarWinds environment not only this year, but much earlier. We know they had access at least October 10, 2019. But they certainly had to get access earlier. Thus, the attack (on SolarWinds – ed.) Should have happened at least a couple of months before that – possibly in mid-2019, ”- the source.
The 2019 files were signed with a legitimate SolarWinds digital certificate and looked like the original Orion Platform code. Like the files with the backdoor released in 2020, the files without the backdoor in 2019 were compiled on the day they were sent to victims, and infect clients within hours, and in some cases even minutes after compilation.