The SolarWinds hack affected several government agencies and tech companies in the U.S. and worldwide. The sophisticated malware attack is believed to have compromised the trusted IT management software as early as March 2020 but only came to light in December.

Owing to the scale of the breach, several cybersecurity organizations, principally FireEye and other companies such as Open Source Context, released lists of indicators of compromise (IoCs). You can view the IoCs from FireEye here and those from Open Source Context here.

Using our domain intelligence sources, we analyzed these IoCs and uncovered more artifacts. Here are the results of our analysis.

SolarWinds IoC Cyber Threat Intel Analysis

FireEye and Open Source Context yielded a total of 18 domain names listed below:

• avsvmcloud[.]com
• databasegalore[.]com
• deftsecurity[.]com
• digitalcollege[.]org
• freescanonline[.]com
• globalnetworkissues[.]com
• highdatabase[.]com
• incomeupdate[.]com
• kubecloud[.]com
• lcomputers[.]com
• panhardware[.]com
• seobundlekit[.]com
• solartrackingsystem[.]net
• thedoccloud[.]com
• virtualdataserver[.]com
• webcodez[.]com
• websitetheme[.]com
• zupertech[.]com

One of the first things that stood out when we reviewed the list of IoCs is that no brand or company name was used. Instead, they used generic terms such as “seo,” “web,” “cloud,” “database,” and “virtual.”

Domain Age

A majority of the IoCs, 14 out of 18 to be exact, were first registered more than five years ago, based on their historical WHOIS data. Three domains were created in 2019 and were a few months old when the attack started in March 2020, while one domain was created in 2018.

The domain age could be a factor behind the SolarWinds breach’s success, as none of the IoCs were newly registered domains (NRDs). Threat actors know that most cybersecurity systems would usually flag NRDs.

Registrars

While they were not involved in the attack, the domains’ registrars can help prevent the attack from spreading by taking them down. Seven registrars were involved in the registration of the IoCs since 1 June 2019. They are listed below, along with the number of WHOIS records associated with each of them.

It should also be noted that NameSilo is among the top 10 most-abused registrars, with a badness index of 1.68.

Additional Artifacts

We found close to 70 additional domains that match the exact words of 12 of the IoCs through Domains & Subdomains Discovery using different top-level domains (TLDs):

Expanding the search to include fuzzy matches, 4,673 additional artifacts were found, indicating that the domains used by the threat actors were indeed very generic.

Nameserver Changes

WHOIS history records also revealed that the IoCs had undergone several nameserver changes, signifying numerous website relocation events to different hosting providers. On average, the 18 domains changed nameservers 3.758 times over the past two years, and all of them changed nameservers at least two times during the same time period. Of the 70 artifacts we found, 11% have changed nameservers more than twice.

Based on the analysis, the SolarWinds IoCs had several things in common:

• They are not NRDs.
• The domains use generic terms and do not typosquat on brand or company names.
• They have undergone several nameserver changes.
• Their WHOIS records are all associated with seven registrars, half of which belong to NameSilo.

Security teams can better explore the artifacts and check for similar characteristics. Knowing what to look for can help them better protect their systems from attacks similar to the SolarWinds hack.

Are you a security researcher, architect, or product developer working on the world’s biggest security issues? Contact us for more information on the potentially suspicious domains and other assets mentioned in this post, security research initiatives, and any other ideas for collaboration.