Security researchers have uncovered a new malware tool used by Russian attackers to compromise SolarWinds.
Sunspot was used by attackers to inject the Sunburst backdoor code into the vendor’s Orion platform without setting off any internal alarms, CrowdStrike said in a blog post yesterday.
According to the security firm, which did not attribute the attack to anyone, the attackers went to great lengths to “ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.”
Sunspot worked by sitting on SolarWinds’ build server and monitoring running processes for instances of MsBuild.exe, which is part of Microsoft Visual Studio development tools. If it saw that Orion software was being built, it would hijack the operation to insert Sunburst.
The resulting Trojanized version of Orion was then installed on SolarWinds customer systems. SolarWinds contacted Infosecurity to claim that the newly discovered implant isn't a new malware strain per se but part of the Sunburst attack.
Around 33,000 Orion customers exist around the world, but only a relatively small handful were singled out by the attackers for the next stage of the campaign.
These victims, including multiple US government entities such as the Department of Justice, were monitored by Sunburst and then hit with a secondary Trojan, Teardrop, which delivered further payloads.
According to a timeline from SolarWinds released yesterday, the attackers first accessed its internal systems in September 2019, and around a week later they injected test code to effectively check the efficacy of Sunspot.
Sunburst was then compiled and deployed into the Orion platform in February 2020, although it was only in December, when FireEye discovered it was hit in the same campaign, that the whole story started to become clear.
Also yesterday, Kaspersky released new research indicating that the Sunburst malware contains multiple similarities with the Kazuar remote access backdoor previously linked to the long-running Russian APT group Turla.