As the investigations into the SolarWinds hack continue, CrowdStrike reports a third malware variant was used in the attack. Researchers at CrowdStrike discovered a malware variant dubbed Sunspot that consists of sophisticated novel code that was used to ensure the Sunburst backdoor was correctly delivered without raising flags to the SolarWinds developers that their build environment had been compromised.
The main malware used in the attack was Sunburst, which is a backdoor that was delivered through a Trojanized version of the SolarWinds Orion product via the automatic software update mechanism. Another malware variant called Teardrop was identified by FireEye researchers that is a dropper that runs in the memory and was used as a post exploit tool to deliver Cobalt Strike beacons.
Sunspot was deployed in September 2019 and its sole purpose was to monitor the SolarWinds build server for Orion build commands and then replace the source code within the app with files that loaded the Sunburst backdoor. When the Orion solution was updated, customers also had the Sunburst backdoor installed giving the APT group access to their systems. Data was collected and exfiltrated to determine which victims were worth further exploitation. Teardrop was then deployed and used in more extensive compromises with the aim of gaining access to cloud and email environments. Around 18,000 SolarWinds Orion users were injected with Sunburst, and a few hundred were selected for further compromise with Teardrop. What is still unknown is how the APT group gained access to the SolarWinds network.
The hackers went to great lengths to ensure that they were able to operate undetected, which is perhaps not surprising given the extent to which SolarWinds Orion is used by high value targets such as government agencies and large enterprises. The attack started on September 4, 2019 when the APT group first compromised SolarWinds. The APT group was patient, and spent time injecting test code and running trials before creating and deploying the Sunburst backdoor on February 20, 2020.
The attackers managed to operate undetected until FireEye discovered its systems had been breached, with its investigation revealing its hack came through SolarWinds Orion. SolarWinds was alerted to the breach in December 2020.
The Advanced Persistent Threat (APT) group responsible for the attack is still not known. Kaspersky has uncovered some code similarities between the Sunburst backdoor and a backdoor that has previously been used by the Turla APT group, although not sufficient evidence to confirm Turla was behind the attack. The attack has also been linked to the Russian APT29 (Cozy Bear) group, although FireEye maintains that APT29 was not behind the attack and that this is a new APT group which it tracking as UNC2452. CrowdStrike is tracking the group as StellaParticle and Volexity has named the group Dark Halo.
A fourth malware variant called SuperNova was also discovered, which was used by a threat group to remotely send, compile, and execute C# code on compromised machines. SuperNova was also delivered via compromised SolarWinds Orion builds, but this malware variant does not appear to have been used by the same APT group that was responsible for using Sunburst.