The cyber security firm CrowdStrike, one of the companies directly involved in the investigation into the SolarWinds supply chain attack, said today that it identifies a third type of malware directly involved in the recent hack.
Name Sunspot, this finding contributes to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware is actually the first one to be used.
Sunspot malware done on SolarWinds’ build server
In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first broke SolarWinds’ internal network.
The Sunspot malware is installed on the SolarWinds build server, a type of software that developers use to assemble smaller components into larger software applications.
CrowdStrike said Sunspot had a single goal – to look at the build server for commands compiled by Orion, one of SolarWinds’ top products, an IT resource monitoring platform used by more than 33,000 customers worldwide word.
Once a build command was detected, the malware would silently replace the source code files in the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
Timeline of SolarWinds Supply Chain Attack
These Trojanized Orion customers eventually became one of SolarWinds’ official update servers and were installed on the company’s customer networks.
Once that happens, the Sunburst malware will activate within internal networks of companies and government agencies, where it will collect data about its victims and then send the information back to the SolarWinds hackers (see this Symantec report on how data is requested via DNS returned)).
Threatening actors would then decide whether a victim was important enough to compromise, and would use the more powerful Teardrop backdoor trojan on these systems, while at the same time instructing Sunburst to remove himself from networks he considered insignificant or considered too high.
However, the revelation that a third malware virus was discovered in the SolarWinds attack is one of the three major updates that came to light today about this incident.
In a separate announcement published on its blog, SolarWinds also published a timeline of the hack. The software provider in Texas said before using Sunburst hackers at customers between March and June 2020, hackers also conducted a test run between September and November 2019.
“The subsequent October 2019 version of the Orion Platform version contains amendments designed to test the offenders ‘ability to insert code into our buildings,” SolarWinds CEO Sudhakar Ramakrishna said today, in’ a rating that is also reflected in the CrowdStrike report.
Image: SolarWinds
Code overlap with Turla malware
In addition, the security firm Kaspersky earlier in the day also published its own findings in a separate report.
Kaspersky, which was not part of the formal investigation into the SolarWinds attack but still analyzed the malware, said it looked at the source code of Sunburst malware and found that the code overlapped between Sunburst and Kazuar, a type of malware linked to the Turla group, Russia’s most sophisticated state-aided cyber-spying device.
Kaspersky was very careful today to point out that he only found ‘code overlap’, but not necessarily that he believes the Turla group orchestrated the SolarWinds attack.
The security firm claims that this code overlap could be the result of the SolarWinds hackers using the same encryption ideas, buying malware from the same encoder, encoders moving across different threat factors, or simply a false flag intended for security firms on the wrong path.
Through further analysis, it is possible that evidence enforcing one or more of these points may arise. By way of explanation: we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.
– Costin Raiu (@craiu) 11 January 2021
But while security companies remained of the downturn, U.S. government officials last week formally blamed the SolarWinds cap on Russia, describing the hackers as “likely Russians of origin.”
The US government statement did not capture the cap of a particular group. Some newspapers reported the attack on a group known as APT29 (aka Cozy Bear), but all the security firms and security investigators involved in the hack called for caution and were very shy about formally attributing the hack so early to a specific group. in the investigation.
SolarWinds hackers are currently being tracked down under various names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity) and StellarParticle (CrowdStrike), but this is expected to change as companies learn more.
At the moment, one last mystery remains, and this is how the SolarWinds hackers managed to break the company’s network and install the Sunspot malware. Was it an unloaded VPN, a spear phishing attack by email, a server exposed online with a guessable password?