Microsoft is making available the CodeQL queries it used to detect malicious implants in the massive supply chain attack that affected SolarWinds, tech firms and government agencies.
The CodeQL queries, written in C# language, are now available in the GitHub repository. They help in ruling out the presence of the code-level indicators of compromise.
“There is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant,” Microsoft says. “These should be considered as just a part in a mosaic of techniques to audit for compromise.”
Solarigate, also known as Sunburst, is the backdoor hackers used in the SolarWinds attack.
How Does CodeQL Work?
CodeQL is an open-source semantic code analysis engine that works in two stages. First, as part of the compilation of source code into binaries, CodeQL builds a database that captures the model of the compiling code.
“For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database,” Microsoft notes.
Researchers at Microsoft report that CodeQL’s two-stage approach enables using static analysis not just for secure development life cycle analysis but also for reactive code inspection across the enterprise.
“We built this [CodeQL query] capability to analyze thousands of repositories for newly described variants of vulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for Solorigate implant patterns similarly, quickly,” the researchers say in a Thursday blog.
When searching for Solorigate indicators of compromise, researchers looked for a particular syntax that stood out and also looked for semantic patterns.
“The syntactic queries are quick to write and execute while offering several advantages over comparable regular expression searches,” Microsoft says. “However, they are brittle to the malicious actor changing the names and literals they use. The semantic patterns look for the overall techniques used in the implant, such as hashing process names, time delays before contacting the C2 servers, etc. These are durable to substantial variation, but they are more complicated to author and more compute-intensive when analyzing many codebases at once.”
By combining these approaches, the queries were able to detect scenarios in which the hackers changed the techniques but used similar syntax, or changed syntax but used similar techniques.
The SolarWinds Attack
Deputy National Security Adviser Anne Neuberger recently said the Biden administration is preparing “executive action” to address security shortcomings that have come to light as a result of the SolarWinds supply chain attack.
Investigators believe that nine federal agencies, as well as 100 private sector organizations – including Microsoft – were compromised as part of the attack, Neuberger says.
The supply chain attack was launched when hackers planted a backdoor within an update for SolarWinds’ Orion network monitoring platform. Then, 18,000 of the company’s customers downloaded the update, and some of those were further targeted for follow-on attacks (see: Senators Grill Cybersecurity Execs on SolarWinds Attack).
Microsoft President Brad Smith said in a recent TV interview that more than 1,000 developers likely worked on rewriting code for the massive SolarWinds supply chain attack.
SolarWinds and government investigators have said a Russia-based hacking group was the likely protagonist behind what appears to have been a cyberespionage campaign.