We’re still learning more about the SolarWinds security breach that exposed a heap of major finance and technology organizations, at least one hospital, and a university according to the Wall Street Journal. The cyberattack referenced as a “backdoor” used to compromise around 18,000 SolarWinds users echoed hacking patterns from the Russian hacking group, Turla, operating on behalf of Russia’s FSB security service. While none of this is news, the latest cybersecurity revelation is.
Today, CrowdStrike identified a third malware strain from the recent hack. Sunspot is the latest malware strain to be uncovered in addition to the Sunburst and Teardrop strains.
How Sunspot Malware Replaced Source Code
The Sunspot malware strain was installed on the Solar Winds build server—used by developers to build smaller software components into larger software applications. Sunspot was implemented to monitor the build server for build commands assembling Orion, a SolarWinds monitoring platform used by more than 30,000 customers across the globe.
When a build command was detected by Sunspot, the malware swapped source code files from the Orion application with files loading the Sunburst malware—resulting in Orion application versions installing the malicious Sunburst malware.
Trojanized Orion clients leveraged official SolarWinds server updates—installing them on the organization’s client networks—activating the Sunburst malware inside internal networks of corporations and government agencies to gain access to data and send it to the hackers via DNS request.
Next, hackers deciding a victim was critical enough to compromise deployed the robust Teardrop backdoor trojan across systems while instructing Sunburst to remove itself from networks identified as inconsequential or high risk.
The news of a third malware strain involved in the breach was just reported today.
The Timeline is Evolving
SolarWinds published a full timeline of the cyberattack. The report details that hackers launched a test run in the fall of 2019—between September and November. The Sunburst malware was then deployed to customers from March to June of 2020.
The Solar Winds CEO, Sudhakar Ramakrishna, shared today: “The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators’ ability to insert code into our builds.”
The SolarWinds supply chain attack was already the most significant cyberattack in modern memory. And, according to SolarWinds, Microsoft, FireEye, and the Cybersecurity and Infrastructure Security Agency (CISA) the hackers compromised a server leveraged for building SolarWinds Orion Platform updates, a product used for IT infrastructure management to inject backdoor malware.
Reassessing your monitoring strategy?
Take the Monitoring Maturity Assessment
At MicroAge, we understand how your monitoring approach can impact business operations and IT productivity. Learn about our Monitoring Maturity Assessment and services, or connect with a Services expert.