The SolarWinds hack has spread like wildfire through government and commercial devices, but new evidence suggests that this attack is the result of careful planning and testing rather than a lucky break. Sources in the investigation into the malware (called “Sunburst”) are reporting that a variant of it, which lacked the backdoor capability found in the current one, was circulated in late 2019.
- SolarWinds May Shape Cyber Policy: Saturday Sitrep
- Russia Denies Responsibility for SolarWinds Cyberattack
- Microsoft Releases Open Source Tool to Root Out SolarWinds Malware
- US Federal Agencies Compromised in Sophisticated Cyberattack
The attackers were able to track the spread of this software, watch how defense programs reacted to it, and update their methods accordingly. This is unusual for a malware attack, as the majority of them rely on off-the-shelf (so to speak) software, which may be tweaked by the individual user – but an entire test campaign against live targets is almost unheard of. This points towards an actor that is far more disciplined than the average attacker and may indicate that a state backed threat actor is behind Sunburst.
Initially discovered on December 8th by FireEye, SolarWinds has been discovered in systems belonging to the US Federal government as well, including the Department of Homeland Security and the National Nuclear Security Administration. As the investigation is ongoing, it is unclear what the extent of the damage is.
ThreatPost has reported that over 18,000 entities have been infected since June, and while the initial outbreak appears to have peaked then, Sunburst could still be downloaded until December. What is known is that Sunburst installs a backdoor which grants visibility into the infected system, and that backdoor may have been used to upload additional files to the infected devices.
FireEye and Microsoft have both announced that they are combating Sunburst- Microsoft will now block the backdoor from executing, while FireEye has created a kill-switch for it. It remains to be seen if Sunburst will be updated in the face of these measures to re-activate it as the countermeasures are only effective against the current version.