Featured image
Truesec pattern
Blog
A preliminary analysis

The SolarWinds Orion SUNBURST Supply-Chain Attack

The recent SolarWinds Orion hack is part of a cyberattack that is one of the most severe in history. This is a preliminary analysis of the SolarWinds Orion supply-chain nation-state attack.
Fabio Viggiani
18 min readFabio Viggiani
Share

This post was published shortly after the attack was made public. Additional research has been done by multiple security professionals since then, to better understand the logic used by the malware and to filter out false positives. The8se sources are referenced throughout this post.

UPDATE 2020-12-19 23:20 UTC: updated results table

UPDATE 2020-12-21 15:37 UTC: updated section on C2 infrastructure based on current findings
UPDATE 2020-12-22 17:04 UTC: added link to Invoke-SunburstDecoder
UPDATE 2020-12-22 22:48 UTC: added section: Disabling security services and avoiding detection
UPDATE 2020-12-23 17:33 UTC: updated results table
UPDATE 2021-01-26 13:00 UTC: clarified some of the statements about targeted organizations, as they are only assumptions.

This post provides a list of internal names of organizations that had the SUNBURST backdoor installed, as well as which of these organizations have indications of having proceeded to the second stage of the attack, where further internal compromise might have taken place.

Summary

The recent SolarWinds Orion hack is part of a cyberattack that is one of the most severe in history.

A supply-chain attack leveraged SolarWinds Orion updates to deliver a backdoor to potentially 18.000 SolarWinds customers. The attack was highly sophisticated.

The infected systems in the various compromised organizations were configured to probe the threat actor systems to request instructions.

Truesec Threat Intelligence analyzed the malware, as well as historical network data, to determine some of the affected organizations that the threat actor might have explicitly selected for further activities, where it is possible that further internal compromise took place. These assumptions are based on historical network data (passive DNS) and the logic within the malware when handling certain responses.

While this is likely only a small part of the scope of the attack, it provides indications on the type of organizations that were potentially the real targets of the attack.

Some names stand out, such as ggsg-us.cisco (Cisco GGSG), us.deloitte.co (Deloitte), nswhealth.net (NSW Ministry of Health in Australia), banccentral.com (service supplier of IT and security for banks), and many others.

The impact of this attack is likely to be of gigantic proportions. The full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.

Introduction

A supply-chain attack leveraged SolarWinds to deliver malicious software updates to their customers (approximately 18.000 potentially affected customers according to SolarWinds). The update installed a sophisticated backdoor giving the threat actor the ability to access selected targets and proceed with further activities inside the compromised organizations.

It is believed that the attack was carried out by a nation-state actor, likely APT29 a.k.a. Cozy Bear, i.e. Russian Intelligence.

FireEye and Microsoft initially published reports[1][2] describing some of the inner workings of the backdoor. A second, more detailed, post was later published by FireEye[15]. The backdoor is remarkably sophisticated and is worth a long technical description, while only some of its functionalities and characteristics are described in this article.

Truesec Threat Intelligence analyzed the backdoor as well as historical network data to identify patterns revealing possible victims.

Due to the nature of the attack, a large number of organizations around the world have been affected by the backdoor, while likely only a smaller number were specifically selected and targeted by the threat actor to conduct additional internal compromise (phase 2).

Technical Background

The threat actor was able to inject a backdoor in the Solarwinds Orion software by modifying the source code of an existing plugin, which was then signed by Solarwinds and published as part of an update available on the SolarWinds website. SolarWinds published an advisory[3] specifying the versions affected.

The malicious update has been available for several months and there are indications of breaches as early as March 2020. One of the identified malicious updates was hosted at the following URL:

hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

The update package was properly digitally-signed, as shown below.

SUNBURST backdoor update package signed by Solarwinds
Figure 1 - Malicious Solarwinds Orion update containing SUNBURST backdoor

The backdoor code was made part of the following digitally-signed Orion component:

SolarWinds.Orion.Core.BusinessLayer.dll

This DLL is also signed.

SUNBURST backdoor Orion DLL signed by Solarwinds
Figure 2 - Malicious Solarwinds Orion DLL containing SUNBURST backdoor

The backdoor implements sophisticated functionality to communicate with the threat actor infrastructure and applies logic to determine what actions should be taken.

As a large number of Orion servers around the world have been infected with the backdoor, the threat actor had to have a way to determine which organization was contacting the attack infrastructure to be able to select the real target of this attack. This logic is partially explained below. For details see the FireEye article [15].

The hacked servers that received the Solarwinds backdoor periodically probe the threat actor infrastructure with a DNS query like the following:

<DGA_value>.appsync-api.eu-west-1[.]avsvmcloud[.]com

where <DGA_value> is computed with a DomainName Generation Algorithm and contains an encoded version of the internal Active Directory name of the infected server. The threat actor server decodes the information in the DNS requests and uses the internal domain name of the organization to determine what instructions to send back.

Truesec reversed the backdoor and identified a set of IP address ranges that, when received as part of the DNS response, will determine the actions taken by the backdoor code. Part of this code is illustrated in the figure below.

Solarwinds sunburst backdoor reversed showing IP ranges used to determine next actions
Figure 3 – Reversed SUNBURST backdoor showing IP ranges used to determine next actions

The AddressFamily field determines what the backdoor should do next, which can be roughly summarized as follows:

Atm or ImpLink : Terminate (killswitch).

Ipx : Go to initial state and keep polling.

NetBios: Start or continue second stage. Can initialize an HTTP backdoor channel used to collect additional information and deploy a second stage malware (specified by the threat actor at the time of instructions, and therefore specific to the target).

We can therefore assume that if the initial probe was answered with an address of type NetBios, the threat actor had configured the backdoor to move to the second stage, which is where additional malware can be deployed to possibly perform additional internal compromise.

Given the amount of affected organizations, it is still likely that a large number of victims with indications of stage 2, as described here, were later filtered out by the threat actor (not deemed worthy of further attack).

Identifying Internal Names of Victims

The DomainName Generation Algorithm described earlier, used to create a DNS query containing an encoded value of the internal domain name of the compromised organization, can be reversed.

RedDrip Team published a report[4] and a script[5] to decode the DGA part of the DNS requests, therefore allowing to retrieve the cleartext value of the internal domain name of the hacked server that made the request.

For example, if a compromised server makes the following request to the threat actor server:

ciepcqqog816s6urtt6t0kf60ceo6e20.appsync-api.us-east-2.avsvmcloud[.]com

This can be decoded to obtain the following internal name of the victim:

ggsg-us.cisco

This means that having records of performed DNS requests to avsvmcloud[.]com will reveal the internal names of the compromised organizations.

The SUNBURST backdoor uses the following three parameters to create a "Host Id" used in the DNS requests:

  • MAC address of the network interface
  • Internal domain name that the machine is joined to
  • Machine Guid from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Since the DGA values from DNS requests can be decoded, if you have a DNS request and you want to see if it was generated from a certain machine, you only need to know MAC address, internal domain name, and machine Guid.

This can be extremely helpful during investigations to determine if a machine had a communicating SUNBURST backdoor on it. We wrote a PowerShell script that can be used for this, based on the great work by Erik Hjelmvik, Netresec.

Identifying Threat Actor Instructions

The next step was to obtain historical records of DNS requests,including the response. We obtained some of the available historical data[6].

The sample data contains 1528 DNS requests to avsvmcloud[.]com and their responses.

When filtered for requests matching the DGA algorithm syntax, we have requests with dates ranging from early April to December 2020.

This is an example of such request and response:

date : 2020-04-19 08:24:26
last_seen : 2020-04-19 08:24:27
qtype : 1
domain : avsvmcloud.com
qname : q8bps26mocuq6re4dutru70ct2w.appsync-api.us-east-1.avsvmcloud.com
value_ip : 8.18.144.138
type : ip
_key : 0e8ab64d5f5aff04fea862f4f72fcf1d04c3d377
value : 8.18.144.138

From this data we can determine that on April 19th, a request was made that decodes to the internal name pageaz.gov, and received as response 8.18.144.138, which according to the backdoor logic explained earlier maps to address type NetBios, meaning that the threat actor might have deployed an HTTP backdoor in this environment.

Command & Control Infrastructure

By analysing the IP addresses returned when instructing infected servers to establish an HTTP backdoor, we can identify the following blocks.

IP blockRegistered Organization (WHOIS information)
184.72.0.0 / 255.254.0.0Amazon.com, Inc.
71.152.53.0 / 255.255.255.0Amazon.com, Inc.
8.18.144.0 / 255.255.254.0Amazon Inc.
87.238.80.0 / 255.255.248.0Amazon Data Services Ireland DUB3 Datacentre
18.130.0.0 / 255.255.0.0Amazon Technologies Inc.
99.79.0.0 / 255.255.0.0Amazon Data Services Canada
199.201.117.0 / 255.255.255.0Traiana, Inc
Table 1 – List of IP blocks used when instructing systems to establish an HTTP backdoor, mapped to WHOIS information

These IP blocks are not used to establish the HTTP connection. Instead, if a CNAME record is contained in the response, that is the address used as C2 address for the new HTTP channel. FireEye listed the CNAME responses that they have observed as part of their indicators of compromise[9]. These are also reported below for convenience:

freescanonline[.]com
deftsecurity[.]com
freescanonline[.]com
thedoccloud[.]com

We initially thought that the A records in the blocks above were the C2 addresses, which would also make sense as almost all are part of the Amazon infrastructure and threat actors often use cloud providers to host their attack infrastructure. This would have also meant that the block belonging to Traiana, Inc could potentially be under control of the threat actor.

Truesec Threat Intelligence observed a large number of DNS responses from the threat actor server providing different IP addresses in the range 199.201.117.0/24 for the next stage.

At this point in time, it does not seem that these IP blocks were under control of the threat actor, but were instead deliberately used as part of the logic within the backdoor.

Putting the Pieces Together

We have decoded the DGA parts of the requests to identify internal domain names of compromised organizations, correlated that with the responses received from the threat actor server, and mapped them with the hardcoded list of IP ranges in the backdoor code.

This gives us a (partial) list of breached organizations, and which ones had the SUNBURST backdoor configured for the second stage of the attack where further internal compromise might have taken place.

Note that some of the names are truncated. Further analysis is ongoing to determine if this can be improved.

The results are summarized at the bottom of this post. This list contains the decoded values of internal domain names. We can therefore only assume that they belong to an organization based on the name of the domains and publicly available information.

Some of the internal names stand out, such as ggsg-us.cisco (Cisco GGSG), us.deloitte.co (Deloitte), nswhealth.net (NSW Ministry of Health in Australia), banccentral.com (service supplier of IT and security for banks), and many others.

Disabling Security Services and Avoiding Detection

The backdoor keeps an eye on a number of processes, services and device drivers. It simply avoids running if any of the following 137 processes are detected on the system.

apimonitor-x64
apimonitor-x86
autopsy64
autopsy
autoruns64
autoruns
autorunsc64
autorunsc
binaryninja
blacklight
cutter
de4dot
debugview
diskmon
dnsd
dnspy
dotpeek32
dotpeek64
dumpcap
exeinfope
fakedns
fakenet
ffdec
fiddler
fileinsight
floss
gdb
hiew32
idaq64
idaq
idr
ildasm
ilspy
jd-gui
lordpe
officemalscanner
ollydbg
pdfstreamdumper
pe-bear
pebrowse64
peid
pe-sieve32
pe-sieve64
pestudio
peview
pexplorer
ppee
ppee
procdump64
procdump
processhacker
procexp64
procexp
procmon
prodiscoverbasic
py2exedecompiler
r2agent
rabin2
radare2
ramcapture64
ramcapture
reflector
regmon
resourcehacker
retdec-ar-extractor
retdec-bin2llvmir
retdec-bin2pat
retdec-config
retdec-fileinfo
retdec-getsig
retdec-idr2pat
retdec-llvmir2hll
retdec-macho-extractor
retdec-pat2yara
retdec-stacofin
retdec-unpacker
retdec-yarac
rundotnetdll
sbiesvc
scdbg
scylla_x64
scylla_x86
shellcode_launcher
solarwindsdiagnostics
sysmon64
sysmon
tcpdump
tcpvcon
tcpview
vboxservice
win32_remote
win64_remotex64
windbg
windump
winhex64
winhex
winobj
wireshark
x32dbg
x64dbg
xwforensics64
xwforensics
redcloak
avgsvc
avgui
avgsvca
avgidsagent
avgsvcx
avgwdsvcx
avgadminclientservice
afwserv
avastui
avastsvc
aswidsagent
aswidsagenta
aswengsrv
avastavwrapper
bccavsvc
psanhost
psuaservice
psuamain
avp
avpui
ksde
ksdeui
tanium
taniumclient
taniumdetectengine
taniumendpointindex
taniumtracecli
taniumtracewebsocketclient64

The second check is a list of 8 services matched by process names. The backdoor searches for the services and keeps track of the status of the services. Additionally it changes the security descriptor of the service registry key and the start parameter. The service is never stopped by the backdoor and it looks like it simply waits until the machine restarts for the service to change state. The state of the services is recorded and stored in the DLL config file using the parameter RetryWatcherPostpone

The list of services is the following:

msmpeng
mssense
cavp
cb
csfalconservice
csfalconcontainer
xagt
xagtnotif
ekrn
eguiproxy
egui
fsgk32st
fswebuid
fsgk32
fsma32
fssm32
fnrb32
fsaua
fsorsp
fsav32

The backdoor avoids tampering with the start parameter of the WinDefend service and only changes the service key security descriptor.

The third check is performed to detect 17 specific device drivers. This check behaves the same way as the check for processes and will make sure that the backdoor aborts if any of the following drivers are detected.

cybkerneltracker.sys
atrsdfw.sys
eaw.sys
rvsavd.sys
dgdmk.sys
sentinelmonitor.sys
hexisfsmonitor.sys
groundling32.sys
groundling64.sys
safe-agent.sys
crexecprev.sys
psepfilter.sys
cve.sys
brfilter.sys
brcow_x_x_x_x.sys
lragentmf.sys
libwamf.sys

Based on this analysis, we can conclude that the detection of any of the specified processes or device drivers will always alter the execution path of the backdoor and discontinue the execution. While the detection of the listed services will only alter the execution path if a change in the status was detected.

Note that for service running as protected services, changing the service registry start parameter is not possible while the service is running. This applies to services related to any antimalware with ELAM capabilities like the Windows Defender.

The Backdoor does not try to avoid the listed antivirus, antimalware, and EDR service. For unknown reasons it tries to keep track of the status of these services.

Impact of the Attack

The target organizations, the threat actor sophistication and the amount of time between the initial breach and the discovery strongly indicates an impact of gigantic proportions.

It is highly likely that a massive amount of highly confidential information belonging to government organizations, medical institutions, Cybersecurity, the financial industry, etc. has been leaked. It is also highly likely that software and systems have been compromised and that the modus operandi of the Solarwinds breach can be repeated in future campaigns.

More information will be disclosed during the upcoming months but the full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.

Results of the Analysis

Decoded Internal NamePossible Organization
(may be inaccurate)*
Observed
Message
First Seen
f.gnam2nd stage2020-04-04
corp.stratusnetStratus Networks2nd stage2020-04-17
pageaz.govCity of Page2nd stage2020-04-19
tx.org2nd stage2020-04-19
newdirections.kc2nd stage2020-04-21
christieclinic.comChristie Clinic Telehealth2nd stage2020-04-22
osb.local2nd stage2020-04-28
MOC.local2nd stage2020-04-30
ehtuh-2nd stage2020-05-01
resprod.comRes Group (Renewable energy company)2nd stage2020-05-06
barrie.caCity of Barrie2nd stage2020-05-13
te.nzTE Connectivity (Sensor manufacturer)2nd stage2020-05-13
fisherbartoninc.comThe Fisher Barton Group (Blade Manufacturer)2nd stage2020-05-15
sdch.localSouth Davis Community Hospital2nd stage2020-05-18
internal.jtl.c2nd stage2020-05-19
mnh.rg-law.ac.ilCollege of Law and Business, Israel2nd stage2020-05-26
RPM.loca2nd stage2020-05-28
CIRCU2nd stage2020-05-30
magnoliaisd.locMagnolia Independent School District2nd stage2020-06-01
fidelitycomm.loFidelity Communications (ISP)2nd stage2020-06-02
fidelitycomm.local2nd stage2020-06-02
corp.stingraydiStingray (Media and entertainment)2nd stage2020-06-03
keyano.localKeyano College2nd stage2020-06-03
friendshipstatebank.com2nd stage2020-06-06
ghsmain1.ggh.g2nd stage2020-06-09
ieb.go.id2nd stage2020-06-12
nswhealth.netNSW Health2nd stage2020-06-12
city.kingston.on.caCity of Kingston, Ontario, Canada2nd stage2020-06-15
servitia.intern2nd stage2020-06-16
CONSOLID2nd stage2020-06-17
corp.ptci.comPioneer Telephone Scholarship Recipients2nd stage2020-06-19
ironform.comIronform (metal fabrication)2nd stage2020-06-19
digitalsense.coDigital Sense (Cloud Services)2nd stage2020-06-24
ggsg-us.ciscoCisco GGSG2nd stage2020-06-24
CentralY2nd stage2020-06-24
signaturebank.lSignature Bank2nd stage2020-06-25
signaturebank.local2nd stage2020-06-25
Aerial.l2nd stage2020-06-26
mountsinai.hospMount Sinai Hospital2nd stage2020-07-02
pqcorp.comPQ Corporation2nd stage2020-07-02
mountsinai.hospitalMount Sinai Hospital, New York2nd stage2020-07-02
banccentral.comBancCentral Financial Services Corp.2nd stage2020-07-03
fhc.local2nd stage2020-07-06
isi2nd stage2020-07-06
gxw2nd stage2020-07-07
kcpl.comKansas City Power and Light Company2nd stage2020-07-07
lufkintexas.netLufkin (City in Texas)2nd stage2020-07-07
sm-group.localSM Group (Distribution)2nd stage2020-07-07
cys.localCYS Group (Marketing analytics)2nd stage2020-07-10
escap.org2nd stage2020-07-10
ftsillapachecasi2nd stage2020-07-10
oslerhc.orgWilliam Osler Health System2nd stage2020-07-11
wrbaustralia.adW. R. Berkley Insurance Australia2nd stage2020-07-11
dufferincounty.on.caDufferin County, Ontario, Canada2nd stage2020-07-17
fmtn.adCity of Farmington2nd stage2020-07-21
htwanmgmt.local2nd stage2020-07-22
pcsco.comProfessional Computer Systems2nd stage2020-07-23
COTESTDE2nd stage2020-07-25
camcity.localAdult Webcam2nd stage2020-07-28
usd373.orgNewton Public Schools2nd stage2020-08-01
Ameri2nd stage2020-08-02
sfsi.stearnsbanStearns Bank2nd stage2020-08-02
ville.terrebonnVille de Terrebonne2nd stage2020-08-02
Amerisaf2nd stage2020-08-02
chc.dom2nd stage2020-08-04
FWO.IT2nd stage2020-08-05
azlcyy2nd stage2020-08-07
itps.uk.netITPS (IT Services)2nd stage2020-08-11
bhq.lan2nd stage2020-08-18
prod.hamilton.Hamilton Company2nd stage2020-08-19
BCC.loca2nd stage2020-08-22
aiwo2nd stage2020-08-24
cosgroves.localCosgroves (Building services consulting)2nd stage2020-08-25
moncton.locCity of Moncton2nd stage2020-08-25
ad001.mtk.loMediatek2nd stage2020-08-26
cds.capilanou.Capilano University2nd stage2020-08-27
csnt.princegeorCity of Prince George2nd stage2020-09-18
int.ncahs.net2nd stage2020-09-23
CIMBM2nd stage2020-09-25
netdecisions.loNetdecisions (IT services)2nd stage2020-10-04
.sutmfWait2020-06-25
mixonhill.comMixon Hill (intelligent transportation systems)Terminate2020-04-29
yorkton.cofyCommunity Options for Families & YouthTerminate2020-05-08
ies.comIES CommunicationsTerminate2020-06-11
spsd.sk.caSaskatoon Public SchoolsTerminate2020-06-12
cow.localTerminate2020-06-13
KS.LOCALTerminate2020-07-10
bcofsa.com.arBanco de FormosaTerminate2020-07-13
ansc.gob.peGOB (Digital Platform of the Peruvian State)Terminate2020-07-25
bop.com.pkThe Bank of PunjabTerminate2020-07-31
airquality.orgTerminate2020-08-09
dokkenengineerinTerminate2020-08-19
3if.2lTerminate2020-08-20
rbe.sk.caRegina Public SchoolsTerminate2020-08-20
ni.corp.natinsTerminate2020-10-24
phabahamas.orgPublic Hospitals Authority, CaribbeanTerminate2020-11-05
insead.orgINSEAD Business SchoolTerminate2020-11-07
deniz.denizbankDenizBankTerminate2020-11-14
bi.corpTerminate2020-12-14
ccscurriculum.cUnknown2020-04-18
bisco.intBisco International (Adhesives and tapes)Unknown2020-04-30
atg.localUnknown2020-05-11
internal.hws.oUnknown2020-05-23
grupobazar.locaUnknown2020-06-07
xnet.kzX NET (IT provider in Kazakhstan)Unknown2020-06-09
ush.comUnknown2020-06-15
publiser.itUnknown2020-07-05
us.deloitte.coDeloitteUnknown2020-07-08
n2kUnknown2020-07-12
e-idsolutions.IDSolutions (video conferencing)Unknown2020-07-16
xijtt-Unknown2020-07-21
ETC1.localUnknown2020-08-01
ninewellshospitaUnknown2020-08-21
ABLE.localN/AN/A
acmedctr.adN/AN/A
ad.azarthritis.comArizona Arthritis & Rheumatology AssociatesN/AN/A
ad.library.ucla.eduN/AN/A
ad.optimizely.Optimizely, Software CompanyN/AN/A
admin.calliduscN/AN/A
aerioncorp.comAerion CorporationN/AN/A
agloan.adsN/AN/A
ah.orgN/AN/A
AHCCCN/AN/A
allegronet.co.N/AN/A
alm.brand.dkN/AN/A
amalfi.localN/AN/A
americas.phoeniN/AN/A
amr.corp.intelN/AN/A
apu.mnN/AN/A
ARYZTN/AN/A
b9f9hqN/AN/A
BE.AJN/AN/A
belkin.comBelkin InternationalN/AN/A
bk.localN/AN/A
bmrn.comN/AN/A
bok.comN/AN/A
BrokenArrow.LocalN/AN/A
btb.azN/AN/A
c4e-internal.cN/AN/A
calsb.orgN/AN/A
casino.prvN/AN/A
cda.corpN/AN/A
central.pima.govPima County, ArizonaN/AN/A
cfsi.localN/AN/A
ch.localN/AN/A
ci.dublin.ca.usDublin, CaliforniaN/AN/A
cisco.comCiscoN/AN/A
cityofsacramentoCity of SacramentoN/AN/A
clinicasierravista.orgClinica Sierra VistaN/AN/A
corp.dvd.comN/AN/A
corp.sana.comSana BiotechnologyN/AN/A
COWI.NetN/AN/A
coxnet.cox.comN/AN/A
CRIHB.NETN/AN/A
cs.haystax.localN/AN/A
csa.localN/AN/A
csci-va.comN/AN/A
csqsxhN/AN/A
DCCAT.DKN/AN/A
deltads.entN/AN/A
detmir-group.ruN/AN/A
dhhs-ad.N/AN/A
digitalreachinc.comN/AN/A
dmv.state.nv.usN/AN/A
dotcomm.orgN/AN/A
ebe.co.roanoke.va.usN/AN/A
ecobank.groupEcobankN/AN/A
ecocorp.localN/AN/A
epl.comN/AN/A
fa.lclN/AN/A
fortsmithlibrary.orgN/AN/A
fremont.lamrc.netN/AN/A
FSAR.LOCALN/AN/A
ftfcu.corpN/AN/A
FVF.locamN/AN/A
gksm.localN/AN/A
gloucesterva.netN/AN/A
glu.comN/AN/A
gnb.localN/AN/A
gncu.localN/AN/A
gsf.ccN/AN/A
gyldendal.localN/AN/A
helixwater.orgHelix Water DistrictN/AN/A
hgvc.comN/AN/A
HQ.RE-wwgi2xnlN/AN/A
ia.comN/AN/A
inf.dc.netN/AN/A
ingo.kgN/AN/A
innout.corpN/AN/A
int.lukoil-international.uzLukoilN/AN/A
intensive.intN/AN/A
its.iastate.edN/AN/A
jarvis.labN/AN/A
LABELMARKET.ESN/AN/A
lasers.state.la.usN/AN/A
milledgeville.localmilledgeville, GeorgiaN/AN/A
mutualofomahabank.comMutual of Omaha BankN/AN/A
nacr.comN/AN/A
ncpa.locN/AN/A
neophotonics.coNeoPhotonics CorporationN/AN/A
net.vestfor.dkN/AN/A
nih.ifN/AN/A
nvidia.comNvidiaN/AN/A
on-potN/AN/A
orient-express.comOrient ExpressN/AN/A
paloverde.localN/AN/A
rai.comN/AN/A
rccf.ruN/AN/A
repsrv.comN/AN/A
ripta.comN/AN/A
roymerlin.comN/AN/A
rs.localN/AN/A
rst.atlantis-pak.ruN/AN/A
SamuelMerritt.eduSamuel Merritt UniversityN/AN/A
sbywx3N/AN/A
sc.pima.govN/AN/A
scif.comN/AN/A
SCMRI.localN/AN/A
scroot.comN/AN/A
seattle.internaN/AN/A
securview.localN/AN/A
SFBALLETN/AN/A
SF-LibraN/AN/A
siskiyous.eduCollege of the Siskiyous, CaliforniaN/AN/A
sjhsagov.orgN/AN/A
SmartN/AN/A
smes.orgN/AN/A
sos-ad.state.nv.usN/AN/A
sro.vestfor.dkN/AN/A
staff.technion.ac.ilN/AN/A
superior.localN/AN/A
swd.localN/AN/A
taylorfarms.comN/AN/A
thajxqN/AN/A
thoughtspot.intN/AN/A
tr.technion.ac.ilN/AN/A
tv2.localN/AN/A
uis.kent.eduN/AN/A
uncity.dkN/AN/A
uont.comN/AN/A
vantagedatacenters.localVantage Data CentersN/AN/A
viam-invenientN/AN/A
vms.ad.varian.comN/AN/A
voceracommunications.comVocera CommunicationsN/AN/A
vsp.comN/AN/A
WASHOE.WN/AN/A
weioffice.comN/AN/A
wfhf1.hewlett.N/AN/A
woodruff-sawyerN/AN/A
xdxinc.netN/AN/A
y9k.inN/AN/A
zeb.i8N/AN/A
zippertubing.comZippertubingN/AN/A

* The organization names are assumptions based on the decoded internal names and may be inaccurate.


[1] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[2] https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

[3] https://www.solarwinds.com/securityadvisory

[4] https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug

[5] https://github.com/RedDrip7/SunBurst_DGA_Decode

[6] https://github.com/bambenek/research/tree/main/sunburst

[7] https://www.cls-group.com/partnerships/traiana-inc/

[8] http://www.traiana.com

[9] https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv

[10] https://github.com/Truesec/sunburst-decoder

[11] https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS

[12] https://gist.githubusercontent.com/IISResetMe/d61a2263c617959eda2682e94f8df8b1/raw/ebc9e675c961c2c3f5b8dbb3c2ee1c83f6181731/dealbreakers.txt

[13] https://gist.githubusercontent.com/IISResetMe/d61a2263c617959eda2682e94f8df8b1/raw/ebc9e675c961c2c3f5b8dbb3c2ee1c83f6181731/maleable-detectors.txt

[14] https://gist.githubusercontent.com/IISResetMe/d61a2263c617959eda2682e94f8df8b1/raw/ebc9e675c961c2c3f5b8dbb3c2ee1c83f6181731/dealbreaking-drivers.txt

[15] https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html


For additional information and discussions on this topic, Truesec has recently published the following video where we discuss nation-state actors in relation to the SolarWinds SUNBURST hack.

https://www.youtube.com/watch?v=sL7cf1mS_AI
Truesec Tech Talk - SolarWinds SUNBURST breach and how nation-state actors operate

I was interviewed by Andy Syrewicze at Altaro on the SolarWinds SUNBURST attack and what IT service providers can and should do. You can watch the video interview below and you can also read Andy's post here.

https://www.youtube.com/watch?v=9EBNY9mGWQ0
Video Interview - Solarwinds Hack Fallout

Stay ahead in cyber

Join 1000+ other cyber professionals and get our regular updates with cyber knowledge and technical know-how.