Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.
Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware was actually the first one used.
Sunspot malware ran on SolarWinds’ build server
In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first breached SolarWinds’ internal network.
The Sunspot malware was installed on SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds’ top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.
Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
Timeline of the SolarWinds supply chain attack
These trojanized Orion clients eventually made their way one SolarWinds’ official update servers and were installed on the networks of the company’s many customers.
Once this happened, the Sunburst malware would activate inside internal networks of companies and government agencies, where it would collect data on its victims and then send the information back to the SolarWinds hackers (see this Symantec report about how data was sent back via DNS request).
Threat actors would then decide if a victim was important enough to compromise and would deploy the more powerful Teardrop backdoor trojan on these systems while, at the same time, instruct Sunburst to delete itself from networks it deemed insignificant or too high risk.
However, the revelation that a third malware strain was discovered in the SolarWinds attack is one of the three major updates that came to light today about this incident.
In a separate announcement published on its blog, SolarWinds also published a timeline of the hack. The Texas-based software provider said that before the Sunburst malware was deployed to customers between March and June 2020, hackers also executed a test run between September and November 2019.
“The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators’ ability to insert code into our builds,” SolarWinds CEO Sudhakar Ramakrishna said today, in an assessment also echoed by the CrowdStrike report.
Image: SolarWinds
Code overlap with Turla malware
On top of this, security firm Kaspersky also published its own findings earlier in the day in a separate report.
Kaspersky, which was not part of the formal investigation of the SolarWinds attack but still analyzed the malware, said that it looked into the Sunburst malware source code and found code overlaps between Sunburst and Kazuar, a strain of malware linked to the Turla group, Russia’s most sophisticated state-sponsored cyber-espionage outfit.
Kaspersky was very careful in its language today to point out that it found only “code overlaps” but not necessarily that it believes that the Turla group orchestrated the SolarWinds attack.
The security firm claimed this code overlap could be the result of the SolarWinds hackers using the same coding ideas, buying malware from the same coder, coders moving across different threat actors, or could simply be a false flag operation meant to lead security firms on the wrong path.
Through further analysis, it is possible that evidence enforcing one or several of these points might arise. To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.
— Costin Raiu (@craiu) January 11, 2021
But while security firms have stayed away from attirbution, last week, US government officials formally blamed the SolarWinds hack on Russia, describing the hackers as “likely Russian in origin.”
The US government’s statement did not pin the hack on a specific group. Some news outlets pinned the attack on a group known as APT29 (or Cozy Bear), but all the security firms and security researchers involved in the hack have pleaded for caution and have been very timid about formally attributing the hack to a specific group so early in the investigation.
Right now, the SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity), and StellarParticle (CrowdStrike), but this designation is expected to change once companies learn more.
Right now, one last mystery remains, and that is how did the SolarWinds hackers manage to breach the company’s network in the first place, and install the Sunspot malware. Was it an unpatched VPN, an email spear-phishing attack, a server that was left exposed online with a guessable password?
