Third Malware Strain Discovered Related to the SolarWinds Supply Chain Attack


UNCOMN is actively monitoring the SolarWinds breach and providing updates as they are made public. Visit uncomn.com/solarwinds for our previous updates.


As weeks continue to advance since the Federal Government announced the massive breach utilizing software from SolarWinds, new information about the cause of the breach continues to develop. The hack stemmed from Malware injected into government networks from a network and performance monitoring software known as SolarWinds. Soon after that, SolarWinds itself announced that up to 18,000 customers of its software platform had been impacted by software patches tainted by the alleged Russian hacker group behind the attack, CozyBear.  


What’s changed with the new discovery? 

 On January 12th, 2021, CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, announced that they identified a third malware strain directly involved in the SolarWinds Breach. The new variant is being recognized as Sunspot. The new Sunspot malware variant adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains. Sunspot may be the latest discovery in the SolarWinds hack. HoweverCrowdStrike found evidence to indicate Sunspot was the first variant used in the attack campaign.  


What are the implications of a third variant of the malware used in the attack? 

In a recent report published by CrowdStrike, it was determined that Sunspot was first used as a method of exploit as early as September of 2019. Researchers have traced evidence that indicates Sunspot was first injected onto a SolarWinds build server; consequently, Sunspot went undetected for over a year. CrowdStrike further established the intent behind the introduction of Sunspot onto the build server was mainly for reconnaissance. Specifically, it was intended to monitor the build server for build commands involved in the Orion assembly. Orion is one of SolarWinds’ top security products that monitor platforms used by more than 33,000 customers internationally. 


How does this affect what we already knew about the breach? 

Researchers further discovered that Sunspot monitored the build server, and when a build command was identified, Sunspot would replace the source code files inside the application with malicious files. Those malicious files surreptitiously automated the installation of Sunburst malware, resulting in the lateral movement of the malware onto the official SolarWinds’ update serversWhen customers performed system updates, the update files were downloaded with Sunburst malware embedded.   

While the name CozyBear may sound inviting, the reality is much less friendly. We are still learning the true extent of the hack.

What was the effect of Sunspot malware on businesses using SolarWinds? 

Once the client downloaded the infected update versions, the Sunburst malware would activate inside the internal networks of unsuspecting SolarWinds customers, including government agencies and commercial clients, where it sat undetected and collected sensitive data on its victims. Eventually, the information was sent back to the hackers behind this breach (see this Symantec report about how data was sent back via DNS request). The perpetrators would selectively compromise unsuspecting victims by deploying the more powerful Teardrop backdoor trojan onto their systems. Simultaneously, Sunspot and Sunburst were logically programmed to delete itself from networks deemed insignificant or high risk for potential security resource detection.  


What does this mean for businesses wanting to protect their products and customers from similar threats? 

Technical analysis of Sunspot by CrowdStrike suggests the malware was specifically designed to be able to detect when it was installed on a SolarWinds developer system, and then to remain idle until specific Orion source code files were accessed by developers. This complex process allowed the intruders to control the development of the breach exploitation phase and limit the indicators of attack to specifically vulnerable times of the build processThe concerning aspect of this new discovery is that the targeted development process is not specific to SolarWinds, as is common across the software industry. This brings presents concern for future discoveries of compromised systems. As the malware went undetected for over a year in the SolarWinds breach, are their similar threat campaigns already underway in software development environments at countless companies throughout the world 


What can businesses do now to protect themselves from future incidents?  

The severity and complexity of this attack has taught us that sophisticated attackers are targeting our tech industry and the remediation process will require a sophisticated partnership to recover from the effects of similar attacks. UNCOMN is here to helpLeverage the skills, knowledge, and resources of our Cyber Response Team to help you and your company through this uncertainty. Email cyberhack@uncomn.com to schedule your free cybersecurity review today.  


Vist uncomn.com/solarwinds to see our previous updates on the breach.


A recent AWS information leakage vulnerability may be putting your data at risk.