| Name | Sunburst |
| Type of Malware | Backdoor Malware |
| Date of Initial Activity | 2020 |
| Associated Groups | APT29 |
| Motivation | Have complete access of the targeted organization’s network |
| Attack Vectors | A trajonized update of the SolarWinds Orion software |
| Targeted System | Windows |
Overview
SunBurst is the backdoor that was planted within SolarWinds’s Orion IT management software during 2020, as part of the infamous supply chain attack, hitting thousands of organizations worldwide. It is a persistent backdoor that provided attackers with an initial foothold within the organizations.
If the infected machines passed all the requirements, and did not contain various blacklisted services or AV software, Sunburst would later deploy additional memory implants (like TearDrop) for command execution and lateral movement capabilities
Targets
U.S. government agencies, technology companies. U.S. , Canada, Belgium, Britain and Israel.
Tools/ Techniques Used
SUNBURST is a supply chain attack that takes advantage of a backdoor implanted in a supplier to target and compromise organizations indirectly around the globe. The original introduction of malware occurred through a malicious DLL file, which attackers managed to introduce into the SolarWinds update package.
This package was delivered to SolarWinds customers, and because it was digitally signed by SolarWinds, it was trusted and deployed in their internal networks. After the update is performed, the malicious DLL starts running on endpoints in the target network.
Its main features include reconnaissance, the ability to execute files, and running scripts such as PowerShell. To prevent detection, the malware checks for the existence of specific drivers and processes on the host machine, which are security controls or scanning tools used by researchers to detect threats.
If it detects any of these processes, it terminates and does not continue running. In addition, the malware evades detection by: Attempting to disable security processes by changing registry keys, Evading specific endpoint security measures, Impersonating trusted network entities. The malware is designed to be dormant for two weeks after being deployed. After this waiting period, it communicates with its command and control servers using the SolarWinds application layer protocol.
Because this is a legitimate protocol typically used only for application communications, C2 communications did not trigger security alerts. Attackers use malware capabilities, in particular PowerShell scripts, to gain access to additional systems in the victim’s network. Once attackers gain access to a desired system, they exfiltrate sensitive data, typically using PowerShell email commands, or transmitting compressed files using HTTP requests.
Impact / Significant Attacks
SolarWinds Compromise. The attack led to the compromise of systems in over 40 government agencies, including the National Nuclear Security Administration (NNSA), the US agency responsible for nuclear weapons.
