Symantec connects another hacking tool to SolarWinds campaign

A nesting doll of hacking tools has emerged in the SolarWinds campaign.
(Wikimedia Commons)

Private sector analysts uncovered a new hacking tool thought to be used in a suspected Russian spying operation in the latest example of how, as the investigation into the SolarWinds breach continues, the plot only thickens.

Security firm Symantec on Tuesday said it had found previously undocumented malicious code that the attackers used to move through victim networks and then transmit additional malware onto specific computers. The attackers installed the malicious code, dubbed Raindrop, on a handful of carefully chosen computers in an effort to spy on them, according to the latest findings.

The discovery underscores the range of tools the accused hackers had at their disposal — some to gain access to computer networks, others to sift through data — in a historic campaign that has infiltrated multiple U.S. federal agencies and consumed investigators at top security firms. U.S. federal investigators have said the hacking campaign is “likely Russian in origin.” Moscow denies involvement.

The attackers have often used bugged software made by contractor SolarWinds to break into networks. But the malicious activity has gone far beyond the tampered SolarWinds technology, as the Symantec research shows.


The hacking tool that Symantec found, for example, has surfaced in organizations using the tampered SolarWinds software, but on entirely different computers within the organization that showed no previous signs of compromise.

The discovery of the malicious code is “another sign of the steps [the attackers] took to avoid having their operations disrupted,” said Eric Chien, a technical director at Symantec, a division of semiconductor maker Broadcom. Chien said “at least three” organizations, but likely more, were infected with the Raindrop malware.

Symantec did not identify the organizations infected. But the attackers appeared to be going  after high-value targets.

In one case, the hackers used Raindrop to access a computer running management software that offered access to the entire organization, Symantec said. In another, the hackers targeted a victim computer that was configured to communicate via a certain Server Message Block protocol, a means of sharing files. That raises the possibility that the targeted computer did not have access to the public internet, though Symantec could not confirm that finding beyond question.

The FBI and private sector firms continue their investigation into the espionage operation. SolarWinds on Jan. 11 publicly identified a different piece of malicious code that the attackers used to meddle with the company’s software.


The alleged Russian activity has also affected the U.S. firms Microsoft and FireEye, and is considered one of the most advanced digital spying operations against U.S. government networks in recent memory.

President-elect Joe Biden has pledged to do “all that needs to be done” to get to the bottom of the intrusions, and then punish the culprits. How Biden responds will be a big early test for cybersecurity policy in his presidency.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts