DNS Abuse Forum - May 25

Home / Industry

Cyber Threat Intel Analysis and Expansion of SolarWinds Identified IoCs

The SolarWinds hack affected several government agencies and tech companies in the U.S. and worldwide. The sophisticated malware attack is believed to have compromised the trusted IT management software as early as March 2020 but only came to light in December.

Owing to the scale of the breach, several cybersecurity organizations, principally FireEye and other companies such as Open Source Context, released lists of indicators of compromise (IoCs). You can view the IoCs from FireEye here and those from Open Source Context here.

Using our domain intelligence sources, we analyzed these IoCs and uncovered more artifacts. Here are the results of our analysis.

SolarWinds IoC Cyber Threat Intel Analysis

FireEye and Open Source Context yielded a total of 18 domain names listed below:

  • avsvmcloud[.]com
  • databasegalore[.]com
  • deftsecurity[.]com
  • digitalcollege[.]org
  • freescanonline[.]com
  • globalnetworkissues[.]com
  • highdatabase[.]com
  • incomeupdate[.]com
  • kubecloud[.]com
  • lcomputers[.]com
  • panhardware[.]com
  • seobundlekit[.]com
  • solartrackingsystem[.]net
  • thedoccloud[.]com
  • virtualdataserver[.]com
  • webcodez[.]com
  • websitetheme[.]com
  • zupertech[.]com

One of the first things that stood out when we reviewed the list of IoCs is that no brand or company name was used. Instead, they used generic terms such as "seo," "web," "cloud," "database," and "virtual."

Domain Age

A majority of the IoCs, 14 out of 18 to be exact, were first registered more than five years ago, based on their historical WHOIS data. Three domains were created in 2019 and were a few months old when the attack started in March 2020, while one domain was created in 2018.

The domain age could be a factor behind the SolarWinds breach's success, as none of the IoCs were newly registered domains (NRDs). Threat actors know that most cybersecurity systems would usually flag NRDs.

Registrars

While they were not involved in the attack, the domains' registrars can help prevent the attack from spreading by taking them down. Seven registrars were involved in the registration of the IoCs since 1 June 2019. They are listed below, along with the number of WHOIS records associated with each of them.

RegistrarNumber of WHOIS Records
NameSilo, LLC89
NameCheap, Inc.36
GoDaddy.com, LLC11
Epik, Inc.10
Draftpick Domains LLC4
Stichting Registrar of Last Resort Foundation3
Key-Systems GmbH3

It should also be noted that NameSilo is among the top 10 most-abused registrars, with a badness index of 1.68.

Additional Artifacts

We found close to 70 additional domains that match the exact words of 12 of the IoCs through Domains & Subdomains Discovery using different top-level domains (TLDs):

Original Domain ListAdditional Domains from WhoisXML API
avsvmcloud[.]comavsvmcloud[.]net
avsvmcloud[.]org
digitalcollege[.]orgdigitalcollege[.]art
digitalcollege[.]asia
digitalcollege[.]ca
digitalcollege[.]co
digitalcollege[.]co[.]il
digitalcollege[.]co[.]in
digitalcollege[.]co[.]uk
digitalcollege[.]com
digitalcollege[.]com[.]au
digitalcollege[.]com[.]br
digitalcollege[.]de
digitalcollege[.]eu
digitalcollege[.]fr
digitalcollege[.]in
digitalcollege[.]info
digitalcollege[.]jp
digitalcollege[.]kz
digitalcollege[.]london
digitalcollege[.]net
digitalcollege[.]nl
digitalcollege[.]org[.]uk
digitalcollege[.]re
digitalcollege[.]ru
digitalcollege[.]top
digitalcollege[.]uk
digitalcollege[.]us
digitalcollege[.]xyz
freescanonline[.]comfreescanonline[.]xyz
highdatabase[.]comhighdatabase[.]email
kubecloud[.]comkubecloud[.]ch
kubecloud[.]co
kubecloud[.]co[.]uk
kubecloud[.]de
kubecloud[.]dev
kubecloud[.]io
kubecloud[.]net
kubecloud[.]nl
kubecloud[.]org
kubecloud[.]site
lcomputers[.]comlcomputers[.]co[.]za
lcomputers[.]info
panhardware[.]companhardware[.]com[.]my
solartrackingsystem[.]netsolartrackingsystem[.]com
virtualdataserver[.]comvirtualdataserver[.]ws
webcodez[.]comwebcodez[.]de
webcodez[.]net
webcodez[.]pro
websitetheme[.]comwebsitetheme[.]biz
websitetheme[.]club
websitetheme[.]com[.]au
websitetheme[.]co[.]uk
websitetheme[.]download
websitetheme[.]in
websitetheme[.]info
websitetheme[.]net
websitetheme[.]org
websitetheme[.]shop
websitetheme[.]site
websitetheme[.]store
websitetheme[.]tk
websitetheme[.]uk
websitetheme[.]us
websitetheme[.]win
websitetheme[.]xyz
zupertech[.]comzupertech[.]xyz

Expanding the search to include fuzzy matches, 4,673 additional artifacts were found, indicating that the domains used by the threat actors were indeed very generic.

Nameserver Changes

WHOIS history records also revealed that the IoCs had undergone several nameserver changes, signifying numerous website relocation events to different hosting providers. On average, the 18 domains changed nameservers 3.758 times over the past two years, and all of them changed nameservers at least two times during the same time period. Of the 70 artifacts we found, 11% have changed nameservers more than twice.


Based on the analysis, the SolarWinds IoCs had several things in common:

  • They are not NRDs.
  • The domains use generic terms and do not typosquat on brand or company names.
  • They have undergone several nameserver changes.
  • Their WHOIS records are all associated with seven registrars, half of which belong to NameSilo.

Security teams can better explore the artifacts and check for similar characteristics. Knowing what to look for can help them better protect their systems from attacks similar to the SolarWinds hack.

Are you a security researcher, architect, or product developer working on the world's biggest security issues? Contact us for more information on the potentially suspicious domains and other assets mentioned in this post, security research initiatives, and any other ideas for collaboration.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO

Cybersecurity

Sponsored byVerisign

DNS Abuse Forum - May 25