Cyber security company CrowdStrike, one of the companies directly involved in investigating the SolarWinds attack on the supply chain, said today that it had identified a third strain of malware directly involved in the recent hack.
Named Sunspot, this discovery adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
But while Sunspot is the latest discovery from the SolarWinds hack, Crowdstrike said the malware was actually the first to be used.
Malware Sunspot running on the SolarWinds build server
In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first breached SolarWinds’ internal network.
The Sunspot malware was installed on the SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
CrowdStrike said that Sunspot had a unique purpose – namely, watching the build server for build commands that built Orion, one of SolarWinds’ flagship products, an IT resource monitoring platform used by more than 33,000 customers across the world.
After a build command was detected, the malware silently replaced the source code files within the Orion application with files that carried the Sunburst malware, resulting in versions of the Orion application that also installed the Sunburst malware.
Timeline of the attack on the SolarWinds supply chain
These Orion customers with trojans ended up becoming official SolarWinds update servers and were installed on the networks of many of the company’s customers.
Once this happened, Sunburst malware would be activated within internal networks of companies and government agencies, where it would collect data about its victims and then send the information back to SolarWinds hackers (see this Symantec report on how the data were sent back via DNS request)
Threat actors would decide whether a victim was important enough to compromise and deploy the most powerful Teardrop Trojan horse on these systems, while instructing the Sunburst to exclude itself from networks considered insignificant or high risk.
However, the revelation that a third strain of malware was discovered in the SolarWinds attack is one of the top three updates that surfaced today about this incident.
In a separate announcement posted on its blog, SolarWinds also published a timeline of the hack. The Texas-based software provider said that before Sunburst malware was deployed to customers between March and June 2020, hackers also ran a test between September and November 2019.
“The subsequent October 2019 version of the Orion platform launch appears to have contained modifications designed to test the perpetrators’ ability to insert code into our builds,” SolarWinds CEO Sudhakar Ramakrishna said today in an assessment also echoed by the CrowdStrike report .
Image: SolarWinds
Code overlay with Turla malware
In addition, security company Kaspersky also published its own findings earlier in the day in a separate report.
Kaspersky, which was not part of the formal investigation of the SolarWinds attack, but still analyzed the malware, said it scanned the Sunburst malware source code and found code overlays between Sunburst and Kazuar, a line of malware linked to the Turla group, from Russia the most sophisticated state-sponsored cyber espionage equipment.
Kaspersky was very careful in its language today when pointing out that it found only “code overlays”, but not necessarily that it believes that the Turla group orchestrated the SolarWinds attack.
The security company said that this code overlap could be the result of SolarWinds hackers using the same coding ideas, buying malware from the same encoder, programmers moving between different threat agents, or it could simply be a fake flag operation aimed at taking security companies on the wrong track.
Through further analysis, it is possible that evidence will emerge that reinforces one or more of these points. To clarify – we are NOT saying that DarkHalo / UNC2452, the group that uses Sunburst and Kazuar or Turla are the same.
– Costin Raiu (@craiu) January 11, 2021
But while security companies stayed away from criticism, last week US government officials formally blamed Russia for the SolarWinds hack, describing the hackers as “probably of Russian origin”.
The United States government’s statement did not point the hack to a specific group. Some media attributed the attack to a group known as APT29 (or Cozy Bear), but all security companies and security researchers involved in the hack pleaded for caution and were too shy to formally assign the hack to a specific group anytime soon. in research.
At the moment, SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity) and StellarParticle (CrowdStrike), but that designation should change once companies learn more.
Now, one last mystery remains: how SolarWinds hackers managed to breach the company’s network in the first place and install the Sunspot malware. Could it be a VPN without a patch, an email spear-phishing attack, a server that was exposed online with a password that can be guessed?