Cybersecurity company CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it had identified a third strain of malware directly involved in the recent hack.
Named Sunspot, this finding contributes to the previously discovered strains Sunburst (Solorigate) and Teardrop.
But while Sunspot is the latest discovery in hacking SolarWinds, Crowdstrike said the malware was actually the first to be used.
The golden Sunspot software runs on the SolarWinds server
In a report released today, Crowdstrike said Sunspot was introduced in September 201
The Sunspot malware is installed on the SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
CrowdStrike says Sunspot has a single goal – to watch the build command server build Orion, one of SolarWinds’ best products, an IT resource monitoring platform used by more than 33,000 customers. worldwide.
Once a build command is detected, the malware will silently replace the source files in the Orion application with files that loaded the Sunburst malware, resulting in versions of the Orion application that also installed the Sunburst malware.
SolarWinds supply chain attack history
These Orion Trojan clients eventually made their way onto the official SolarWinds update servers and were installed on the networks of many of the company’s customers.
Once this happens, Sunburst malware will be activated on internal networks of companies and government agencies, where it will collect data about its victims and then send the information back to SolarWinds hackers (see this Symantec report on how the data was sent back via DNS query).
Threat participants will then decide whether the victim is important enough to compromise and deploy the more powerful Teardrop Trojan on these systems, while instructing Sunburst to wipe out networks it deems insignificant or too high a risk.
However, the revelation that a third malware strain was detected in the SolarWinds attack is one of the three major updates that emerged today about the incident.
In a separate post posted on its blog, SolarWinds also posted a hacking schedule. The Texas-based software vendor said that before the Sunburst malware was deployed among customers between March and June 2020, hackers also conducted a test run between September and November 2019.
“The next version of the Orion platform from October 2019 seems to contain modifications designed to test the ability of perpetrators to insert code into our compilations,” SolarWinds CEO Sudhakar Ramakrishna said today in an assessment reflected in the CrowdStrike report.
Code overlap with Turla malware
On top of that, security company Kaspersky also published its own findings earlier in the day in a separate report.
Kaspersky, who was not part of the official investigation into the SolarWinds attack but still analyzed the malware, said he had studied the source code of the Sunburst malware and found a code overlap between Sunburst and Kazuar, a malware strain linked to the Turla group. , Russia’s most sophisticated state-sponsored cyber espionage team.
Kaspersky was very careful in his language today to point out that he only found “code overlaps”, but he doesn’t have to believe that the Turla group organized the SolarWinds attack.
The security company claims that this code overlap may be the result of SolarWinds hackers using the same encryption ideas, purchasing malware from the same encoder, encoders moving through different participants in the threat, or just to be a fake flag operation designed to lead security companies down the wrong path.
But while security firms kept aloof from the attacks, U.S. government officials last week formally accused SolarWinds of hacking in Russia, describing the hackers as “probably Russian in origin.”
The statement of the US government does not fix the hacking of a specific group. Some news outlets have cited the attack on a group known as APT29 (or Cozy Bear), but all security companies and security researchers involved in the hack have been cautious and very timid about the official attribution of the hack to a particular group so early in the investigation. .
SolarWinds hackers are currently being tracked under various names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity) and StellarParticle (CrowdStrike), but that designation is expected to change as companies learn more.
One last mystery remains at the moment, and that’s how SolarWinds hackers managed to break into the company’s network in the first place and install the Sunspot malware. Is it an unadulterated VPN, an email phishing attack with a copy, a server that is left exposed online with a known password?