Skip to main content
close search
site logo
Dive Brief

SolarWinds initially hacked in September 2019, 3rd malware found

Published Jan. 12, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Illustration of locks layered above circuity.
Traitov/iStock/Getty via Getty Images

Dive Brief:

  • The hackers behind the SolarWinds breach used Sunspot malware deployed into the build environment to inject a "backdoor into the SolarWinds Orion platform without arousing the suspicion of the development team charged with delivering the product," according to analysis released by CrowdStrike Monday. Sunspot had safeguards to prevent Orion's build from failing, which allowed the malware to evade detection by developers. 
  • The Sunspot malware sat on the SolarWinds' build systems, waiting for the "MsBuild.exe process to exit before restoring the original source code and deleting the temporary InventoryManager.bk file," said CrowdStrike. The Sunburst backdoor remains if the build was successful. 
  • Hackers likely accessed SolarWinds systems in September 2019, before allowing the insertion of Sunburst, according to SolarWinds. Sunspot is at least the third malware detected in the hack, including Sunburst and the Teardrop "post-exploitation tool," said CrowdStrike.

Dive Insight:

SolarWinds is working with security firms to investigate the compromise and will continue to publish the findings because its software development and build processes are "common throughout the software industry," the company said. 

Following the investigation, SolarWinds has reconstructed the timeline for the attack. While threat actors accessed SolarWinds on Sept. 4, 2019, hackers conducted their first known test on Sept. 12. Sunburst was not "compiled and deployed" until Feb. 20, 2020, according to SolarWinds' timeline. 

SolarWinds
 

In June 2020, the hackers removed Sunburst, also known as Solorigate, from SolarWinds' environment; it wasn't until December researchers uncovered vulnerabilities traced back to Sunburst.

While more than 18,000 SolarWinds customers were affected by the compromise, hackers were selective about secondary targets, exploiting those they deemed valuable. So far, the Departments of Commerce, Defense, Energy, Homeland Security, Justice, Treasury, State and National Institutes of Health are among the confirmed compromised federal agencies, though investigations remain underway.

Unless there is a larger campaign attacking the supply chain of other vendors, Sunspot should only be found in SolarWinds, said Katie Nickels, director of Intelligence at Red Canary, in a Twitter thread. Sunspot "injects SUNBURST only if Orion software is being built. This is VERY TARGETED," she wrote. 

The organizations deemed valuable enough were hit by the memory-only dropper, Teardrop, according to FireEye. Teardrop "does not have code overlap with any previously seen malware. We believe that this was used to execute a customized Cobalt Strike BEACON." 

CrowdStrike is calling the "activity cluster" StellarParticle; other security researchers theorize the threat group APT 29, also known as Cozy Bear or Dukes, is behind the attack. Last week, U.S. officials said Russian actors were "likely" behind the attack. StellarParticle is also different from what other firms are calling Solorigate, though the two overlap, said Nickels. 

Recommended Reading

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell