17 Jan SolarWinds IoCs to Connected Cyber Assets: What We Found
Domain insights on a major hack
– Jonathan Zhang, CEO at Whois XML API
Walnut, Calif. – Jan. 17, 2021
The SolarWinds Orion breach was probably the hottest cybersecurity topic of the past few weeks. On Dec. 13, 2020, FireEye released indicators of compromise (IoCs) for the threat on GitHub. Other cybersecurity companies like Open Source Context released and maintained additional lists.
The two threat intelligence sources list a total of 29 IoCs, comprising 19 domains and 10 IP addresses. We used our own sources to expand their findings further by seeking to find out:
- If the domains used in the attacks were new
- How generic the domain names used were
- If similar-looking domains existed
- If the artifacts we found could be linked to domaining activity
- How many times the domains in our additional data set changed nameservers
Domain List Expansion
Looking for highly similar artifacts, we expanded the original list of domains from 18 to 88. Most of the additions used different localized top-level domains (TLDs), as shown in the table below.
Note that databasegalore[.]com, deftsecurity[.]com, globalnetworkissues[.]com, incomeupdate[.]com, seobundlekit[.]com, and thedoccloud[.]com, all part of the original list, were excluded from our search, as we did not see 100 percent matching second-level domain (SLD) variations of these.
WHOIS History Search Results
Subjecting the expanded list of 88 domains to WHOIS history searches yielded a total of 1,099 historical records.
Interestingly, none of the original 18 domains were newly registered. Their creation years ranged from 2002 to 2019. The table below shows their respective creation dates from oldest to newest.
The threat actors may have avoided using newly registered domains (NRDs) for the attack since most companies already protect against these. After all, NRDs are often considered suspicious or unsafe to access.
Note that the domains used were also generic, meaning they could hardly be connected to an easily identifiable organization, making it more difficult for security investigators to ascertain their nature. The use of terms like “cloud,” “seo,” “database,” and other generic descriptions could fool targets into thinking they are dealing with common third parties.
Considering the domains’ ownership over the years, the 18 data points in the original list have changed hands several times. The table below shows the registrars involved in their respective life cycles based on historical WHOIS records dating as far back as June 1, 2019.
Note that these registrars are not necessarily involved in the supply chain hack. They may, however, be tapped for help with domain takedowns to stem the further spread of the threat.
The historical WHOIS searches also provided a list of registrant email addresses, which we kept private for confidentiality reasons. These email addresses may not necessarily belong to the threat actors behind the SolarWinds hack; some could be owned by domainers. We did, however, use them to obtain an additional list of artifacts that may or may not be related to the threat via reverse WHOIS searches. We came up with a total of 11,188 more domains.
The SolarWinds hack is an ongoing issue with many cybersecurity implications. We have explored many of them in our This Week in Typosquatting podcast with guest speaker John Bambenek. The recording is available here.
We also welcome any possible collaboration within or outside the scope of the SolarWinds breach with cybersecurity companies, government agencies, independent security researchers, and other interested parties. You can reach out to us here for more information.
– Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.
Sponsored by Whois XML API
Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.