This week has an increased scope, but we would be remiss if we didn’t draw some ideas from the notorious SolarWinds attack. There were two key things that made the SolarWinds attack special. The first was just the massive scope of the attack, which would have gone on much longer if FireEye itself wasn’t targeted by the attack. The second was that the attack used a supply chain as its initial access. An attack that target’s a supply chain is extremely efficient since the attacker’s return on investment is multiplied by the number of consumers of the product. Emulating this type of attack is quite difficult; it often requires access to the manufacturing facility, whether that be software (like in the SolarWinds attack) or hardware.
Deciding what supply chain to target and how to accomplish the goal took some extra time. In the end, we decided to go with targeting Python libraries. Python is widely used and we have already have a Python agent available called “Schism”. To replicate the supply chain attack, we can insert code directly into a Python library that is loaded on the machine. This allows the added code to be executed every time someone uses the targeted library.
Inserting code into a library is about as close as you can get to the supply chain without actually targeting it. To keep what we are doing a secret, we ensure that the targeted library continues to function as expected while spawning our agent in the background. We then orphan the agent process so it will continue running after the user is finished. Some small changes were made to Schism to help spawn it directly into memory and not write anything to disk. The final step in the chain is to clean up the changes we made to the library. The chain will wait for the fact “clean.now” to be inserted into Operator. This will reverse the changes made to the source code so that you don’t need to do it yourself.
Watch a demonstration: APT29 PolarCalm
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg