FireEye last week had uncovered a highly evasive hacking campaign that leverages SolarWinds Supply Chain using Sunburst Backdoor, that we are tracking as UNC2452. The bad actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
SolarWinds recently filed an SEC report indicating that, while they have over 300,000 customers, fewer than 18,000 customers were running the trojanized version of the Orion software. The cyber-attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them. The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft.
The nature of the initial phase of the attack and the breadth of supply chain vulnerability is illustrated clearly in the map below, which is based on telemetry data from Microsoft’s Defender Anti-Virus software. The data identifies customers who use Defender and who installed versions of SolarWinds’ Orion software containing the attackers’ malware. As this makes clear, this aspect of the attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia. This also illustrates the heightened level of vulnerability in the United States and United Kingdom.
Microsoft has identified and notified more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures.
While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries. This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.
The initial list of victims includes not only government agencies, but security and other technology firms as well as non-governmental organizations, as shown in the chart below. 44% of the victims were in the information technology sector including software firms, equipment providers and IT services firm. We anticipate there are additional victims in other countries and verticals.
We are currently tracking the software supply chain compromise and related post intrusion activity as UNC2452. This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment.
We’re sharing what we’ve learned from the time we have spent analysing this sophisticated cyber-attack with the community. Any organization utilizing SolarWinds Orion IT management software is potentially at risk from this cyber threat. These organizations should immediately identify Orion systems in their network, determine if they are compromised with the SUNBURST backdoor and seek out further evidence of compromise.
FireEye’s research has been a foundation in providing not only useful signatures, but also indicators which help with tracking and threat hunting for malicious activity.
A summary of Indicators of Compromise (IOCs) is included below.
Threat Detection & Mitigation using IOCs:
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
At the time of this publication, the Windows Installer Patch file including the trojanized version of the SolarWinds Orion product was still reachable:
This installer contains:
The IT infrastructure related to this series of cyber attacks includes:
Due to the nature of these cyber-attacks, we recommend our customers perform the above searches immediately. If you are unable, Ashco Systems will assist you locate SolarWinds Orion servers owned by your organization and assess whether you’ve been compromise. After we’ve completed our analysis, we’ll provide you with an assessment report with expert recommendations.