{
	"id": "cd716176-766c-4369-83a4-1b15324f1fb1",
	"created_at": "2026-04-23T02:54:19.996905Z",
	"updated_at": "2026-04-25T02:18:51.56645Z",
	"deleted_at": null,
	"sha1_hash": "00f81d390530cb968334ac361a74e14208374c0b",
	"title": "Deep into the SunBurst Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66280,
	"plain_text": "Deep into the SunBurst Attack\r\nBy etal\r\nPublished: 2021-01-28 · Archived: 2026-04-23 02:41:13 UTC\r\nBy Lior Sonntag\r\nDuring the week of December 13th, we witnessed what many are calling one of the biggest cyberattacks in recent\r\ntimes.  SunBurst, the malware installed on SolarWinds’ Orion product, perpetrated what seems like a nation-state\r\nsponsored supply chain attack, and as a result featured prominently in global headlines.\r\nThe attack raised awareness to supply chain based compromises and previous reports offered best practices on\r\nhow to identify and mitigate the impact of the attack, provided deep dive to TEARDROP– one of the payloads\r\nused, and offered advice on protecting from the attack itself.\r\nThe activity following this supply chain attack included lateral movement and data theft.\r\nIn this blog, we focus on the second phase in the cloud and present some of the key tactics and techniques used\r\nby the nation-state actors in the malicious campaign. Using the MITRE ATT\u0026CK framework, we provide the\r\nmost likely technical attack flow.\r\nAccording to the Microsoft article, this is the chain of events from a high-level perspective:\r\n1. Initial Access (On-Prem) – Use Forged SAML tokens and illegitimate registrations of SAML Trust\r\nRelationships to impersonate a user with administrative credentials (in this case, Azure AD).\r\n2. Discovery – Enumerate existing applications / service principals (preferably with high traffic patterns) .\r\n3. Credential Access – Add credentials to an existing application or service principal.\r\n4. Privilege Escalation – Elevate the privileges of the  application/service-principal to allow access to MS\r\nGraph APIs Application permissions.\r\n5. Defense Evasion and Lateral Movement – Acquire OAuth access tokens for applications to impersonate\r\nthe applications and obfuscate malicious activity.\r\n6. Exfiltration – Call MS Graph APIs to exfiltrate sensitive data such as users’ data and emails.\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 1 of 8\n\nAs mentioned previously, our focus is on the attack flow in the Cloud Environment after the initial authentication\r\n(i.e. steps b-f).\r\nBefore we go into the attack flow, some background on the AzureAD Authentication and Authorization\r\nmechanisms.\r\nAuthentication is providing proof that you are who you say you are. This is done by the Identity Provider i.e.\r\nAzure AD.\r\nAuthorization is the act of granting an authenticated party permission to do something. This is done by the\r\nresource the identity is trying to query, utilizing the OAuth 2.0 protocol.\r\nDiscovery\r\nAfter the threat actors gain an initial foothold in the Cloud Environment by compromising privileged cloud users\r\nwith administrative access to the Azure AD, they add credentials to an existing application or service principal.\r\nTo do that, the attackers first need to list all the existing applications:\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 2 of 8\n\nThe attackers prefer an application with high traffic patterns (e.g. mail archival applications) which can be used to\r\nobfuscate their activity, so they choose  “MailApp” (an imaginary application name) and extract its ObjectId and\r\nApplicationId:\r\nIn addition, the attackers extract the account’s tenantId:\r\nCredential Access\r\nNext, the attackers create new credentials and add them to the application:\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 3 of 8\n\nAlternatively, they can create new credentials and add them to an existing service principal associated with the\r\nMailApp application:\r\nAfter this phase, the attackers now have credentials for the application, which can be used to authenticate to Azure\r\nAD on behalf of the application.\r\nApplication/Service-principal Privilege Escalation\r\nIn this step, the attackers list all the available permissions related to Microsoft Graph APIs:\r\nThe attackers add the User.ReadWrite.All permission to the MailApp application:\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 4 of 8\n\nAfterward, the attackers list all the available permissions related to Mails that are associated with the Microsoft\r\nGraph API:\r\nThey also add the Mail.ReadWrite permission to the MailApp application:\r\nThe error in red indicates that an admin consent must be launched to approve this permission.\r\nThe admin consent workflow gives admins a secure way to grant access to applications that require admin\r\napproval. When a user tries to access an application but is unable to provide consent, he can send a request for\r\nadmin approval. The request is sent to admins who are designated as reviewers.\r\nAs the attackers already have administrative permissions, they can launch an admin consent on their own:\r\nThe admin consent is successful and the Microsoft Graph APIs permissions are successfully added to the MailApp\r\napplication!\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 5 of 8\n\nDefense Evasion and Lateral Movement\r\nThe next step for the attackers is to acquire an OAuth access token for the application by initiating a HTTP GET\r\nrequest which includes the tenantId, objectId, appId and the secret (credentials) obtained earlier:\r\nThis access token enables the attackers to move laterally, impersonate the MailApp application, and execute\r\nactions on its behalf. \r\nExfiltration\r\nIn the final step, the attackers call APIs with permissions assigned to the MailApp application.\r\nThe attackers initiate a HTTP GET request which includes the access token to exfiltrate all users in the tenant and\r\nall emails related to a specific user.\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 6 of 8\n\nUsers exfiltration\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 7 of 8\n\nEmails exfiltration\r\nEmails’ subjects exfiltration\r\nConclusion\r\nThe SolarWinds supply-chain attack is one of the most sophisticated attacks of our time. The scope of the attack\r\nextends beyond on-prem to the cloud. The attackers used advanced techniques to cover their tracks while they\r\nstole sensitive information, and used discovery, credential access, privilege escalation, lateral movement, defense\r\nevasion, and exfiltration in a single attack flow.\r\nMany of the characteristics and operations seen in this type of attack can also apply to other cloud providers such\r\nas AWS and GCP.\r\nThe number of victims compromised by SunBurst continues to rise since the attack was initially uncovered. We\r\nwill update with any new information as more details concerning this attack emerge.\r\nSource: https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nhttps://research.checkpoint.com/2021/deep-into-the-sunburst-attack/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/"
	],
	"report_names": [
		"deep-into-the-sunburst-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1776912859,
	"ts_updated_at": 1777083531,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00f81d390530cb968334ac361a74e14208374c0b.pdf",
		"text": "https://archive.orkl.eu/00f81d390530cb968334ac361a74e14208374c0b.txt",
		"img": "https://archive.orkl.eu/00f81d390530cb968334ac361a74e14208374c0b.jpg"
	}
}