Back in December 2020, days after the massive SolarWinds supply chain attack came to light, Microsoft warned about a second threat actor targeting SolarWinds Orion servers installed on customer premises, independently from the supply chain compromise.
This second group’s attacks did not rely on compromising the SolarWinds app update infrastructure but instead exploited an authentication bypass vulnerability (CVE-2020-10148) in the SolarWinds Orion API to install web shells on companies Orion servers.
The web shell, codenamed SUPERNOVA, acted as a backdoor on Orion IT monitoring platforms, allowing threat actors to access and steal data from companies’ internal networks.
Reports published at the time by the Cybersecurity and Infrastructure Security Agency, Palo Alto Networks, and Guidepoint Security did not formally link this malware to the threat group behind the SolarWinds supply chain attack —which the US government formally linked to Russia— and described any exploitation as taking place in parallel with the broader and much more intrusive supply chain attack.
Secureworks solves SUPERNOVA mystery
But in a report published today, cybersecurity firm Secureworks said it found links between the SUPERNOVA malware and attacks carried out last year in August against Zoho ManageEngine servers, using a zero-day published on Twitter.
Secureworks said it’s tracking this threat actor under the codename of Spiral and that “characteristics of the activity suggest the group is based in China.”
“Similarities between SUPERNOVA-related activity in November [against Orion servers] and activity that CTU researchers analyzed in August [against Zoho servers] suggest that the SPIRAL threat group was responsible for both intrusions,” Secureworks said today. “Characteristics of these intrusions indicate a possible connection to China.”
But what Secureworks did not specifically point out was if the Spiral group has any affiliations with Chinese government-backed cyber operations or if the group is just your regular run-of-the-mill cybercrime outfit looking to sell access, plunder, or ransom corporate environments.
A Secureworks spokesperson did not respond to a request for comment.