On Thursday, Microsoft revealed the open source availability of CodeQL queries that it used during its SolarWinds attack investigation.
The attackers hacked into the systems of IT management solutions company SolarWinds in 2019 and, using the Sundrop malware, they inserted the Sunburst backdoor into the SolarWinds Orion monitoring product, believed to be funded by Russia.
Thus, thousands of organisations worldwide were ultimately infected with Sunburst, but the attackers supplied just a few hundred victims of interest with additional malware. To hack structures at these organisations, the attackers have used hands-on-keyboard techniques.
In order to provide information on the tactics used, the perpetrators, and the nature of the incident, Microsoft, which monitors the attacks as Solorigate, released multiple reports and this week agreed to make several of the methods used in its investigation open to other companies as well.
The company has published the source code for CodeQL queries that it uses to evaluate its scale code and classify any compromise code-level indicators (IoCs) associated with Solorigate.
The CodeQL queries that we used in this investigation are open source, so that other organisations can conduct a similar analysis. Notice that queries […] are simply home to source code that shares similarities in the Solorigate implant with the source, either in the syntactic elements (names, literals, etc.) or in the functionality, says the business.
Microsoft also points out that checks will still be needed to ensure the correct results, and that in multiple activities, the malicious actor may use other features and coding types, which suggests that these queries would not be able to identify implants that deviate significantly.
For this review, the tech company also explains that it chooses to work with CodeQL because the engine allows “a database that captures the compiling code model,” to be created, which can then be repeatedly queried.
In the CodeQL GitHub repository, Microsoft has made C# queries available for the evaluation of code-level IoCs, with comprehensive details on each query and the code-level IoCs it seeks to find available in the Solorigate-Readme.md. Guidance is also included on making improvements.
GitHub will soon publish guidelines for current CodeQL customers about how they are implementing these queries. As a reminder, Microsoft also states that CodeQL is free for open-source projects hosted by GitHub.
The company also describes that while investigating Solorigate, on the one hand, it searched for code-level IoCs-related syntax, while on the other, in those IoCs, it examined overall semantic patterns of the techniques. Detection will then capture situations where methods have changed but grammar has not changed, or the other way around.
“Because it is possible that both syntax and techniques might be modified by the malicious actor, CodeQL was just one aspect of our broader investigative effort,” the tech giant says.