- The hackers behind the SolarWinds breach used Sunspot malware deployed into the build environment to inject a "backdoor into the SolarWinds Orion platform without arousing the suspicion of the development team charged with delivering the product," according to analysis released by CrowdStrike Monday. Sunspot had safeguards to prevent Orion's build from failing, which allowed the malware to evade detection by developers.
- The Sunspot malware sat on the SolarWinds' build systems, waiting for the "MsBuild.exe process to exit before restoring the original source code and deleting the temporary InventoryManager.bk file," said CrowdStrike. The Sunburst backdoor remains if the build was successful.
- Hackers likely accessed SolarWinds systems in September 2019, before allowing the insertion of Sunburst, according to SolarWinds. Sunspot is at least the third malware detected in the hack, including Sunburst and the Teardrop "post-exploitation tool," said CrowdStrike.
SolarWinds is working with security firms to investigate the compromise and will continue to publish the findings because its software development and build processes are "common throughout the software industry," the company said.
Following the investigation, SolarWinds has reconstructed the timeline for the attack. While threat actors accessed SolarWinds on Sept. 4, 2019, hackers conducted their first known test on Sept. 12. Sunburst was not "compiled and deployed" until Feb. 20, 2020, according to SolarWinds' timeline.
In June 2020, the hackers removed Sunburst, also known as Solorigate, from SolarWinds' environment; it wasn't until December researchers uncovered vulnerabilities traced back to Sunburst.
While more than 18,000 SolarWinds customers were affected by the compromise, hackers were selective about secondary targets, exploiting those they deemed valuable. So far, the Departments of Commerce, Defense, Energy, Homeland Security, Justice, Treasury, State and National Institutes of Health are among the confirmed compromised federal agencies, though investigations remain underway.
Unless there is a larger campaign attacking the supply chain of other vendors, Sunspot should only be found in SolarWinds, said Katie Nickels, director of Intelligence at Red Canary, in a Twitter thread. Sunspot "injects SUNBURST only if Orion software is being built. This is VERY TARGETED," she wrote.
The organizations deemed valuable enough were hit by the memory-only dropper, Teardrop, according to FireEye. Teardrop "does not have code overlap with any previously seen malware. We believe that this was used to execute a customized Cobalt Strike BEACON."
CrowdStrike is calling the "activity cluster" StellarParticle; other security researchers theorize the threat group APT 29, also known as Cozy Bear or Dukes, is behind the attack. Last week, U.S. officials said Russian actors were "likely" behind the attack. StellarParticle is also different from what other firms are calling Solorigate, though the two overlap, said Nickels.