Second hacking group suspected in massive SolarWinds attack


There may be another group of hackers at work in the wake of the devastating SolarWinds attack.

A Microsoft blog hints at a second hacking attempt not related to the initial hack of the SolarWinds software. 

In that first attack, Russian actors hacked software updates for popular network monitoring tool SolarWinds Orion, described as a “supply chain” hack. As a result, multiple government agencies were breached. A number of Big Tech companies have also installed SolarWinds software, including Cisco, Intel and VMware, according to The Wall Street Journal.

“In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware,” Microsoft said in the post.

In all, the attack could have impacted as many as 18,000 of SolarWinds’ customers, the company said. 

Despite the second attack going after SolarWinds’ Orion product, Microsoft determined it is “likely unrelated to this compromise and used by a different threat actor,” widely assumed to be another cybercriminal organization. 

In the blog post, Microsoft described the additional malware discovered as “a small persistence backdoor in the form of a DLL file,” referring to a Dynamic Link Library. Files with a “.DLL” extension are commonly found in Windows.

Unlike the original attack, “this malicious DLL does not have a digital signature, which suggests that this may be unrelated” to the first attack, Microsoft explained.

Redmond, Wash.-based Microsoft has not identified the malware by name, but analysis by security researchers at Palo Alto Networks refer to it as “Supernova.”

There’s been some confusion because security researchers thought that Supernova was possibly tied to the first attack, according to ZDNet. However, the news outlet reported that is not the case, citing a follow-up analysis from Microsoft’s security teams. The upshot is companies that have SolarWinds with Supernova need to handle it as a separate attack.

Experts believe there is more to be uncovered about the attacks and how widespread they were. 

“There is still much we don’t know, including exactly how the supply chain hack was accomplished, what other vectors were used besides SolarWinds, how many victims were impacted, what the adversary’s objectives were and what information they were able to obtain, what they will do with that information, and more,” Suzanne Spaulding, advisor to Nozomi Networks and former DHS undersecretary of cyber and infrastructure, said in a statement sent to Fox News. “Removing this threat will be a battle. This is not an adversary that runs away once detected. They will fight to maintain a persistent presence, even returning once booted out.” 

Fox News has contacted SolarWinds for comment.