{
	"id": "9d7abe9b-3259-49a3-ae0e-06d650ff1eab",
	"created_at": "2026-04-06T01:29:16.484973Z",
	"updated_at": "2026-04-10T03:20:41.317383Z",
	"deleted_at": null,
	"sha1_hash": "059e5f3de232cde03d576ce926610a86f5fd966c",
	"title": "The Hitchhiker’s Guide to SolarWinds Incident Response | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79518,
	"plain_text": "The Hitchhiker’s Guide to SolarWinds Incident Response | Zscaler\r\nBy Bryan Lee\r\nPublished: 2020-12-22 · Archived: 2026-04-06 00:10:24 UTC\r\nOn December 13, 2020, multiple security vendors in conjunction with CISA disclosed a software supply-chain\r\nattack involving the SolarWinds Orion platform. The disclosure detailed the activities of an advanced persistent\r\nthreat (APT) adversary that was able to gain access to SolarWinds systems to create trojanized updates to the\r\nOrion platform between March 2020 and possibly as recently as December 2020. The trojanized updates included\r\na custom, digitally signed backdoor called SUNBURST. SolarWinds Orion is a widely used network infrastructure\r\nmonitoring and management platform with a reported customer base of over 18,000. The following versions may\r\nbe affected:\r\nOrion Platform 2019.4 HF5, version 2019.4.5200.9083\r\nOrion Platform 2020.2 RC1, version 2020.2.100.12219\r\nOrion Platform 2020.2 RC2, version 2020.2.5200.12394\r\nOrion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432\r\nAt this time, the full scope of the attack remains under investigation. What is known is that the attack was\r\nexecuted by a truly sophisticated adversary with a deep understanding of operational security and complex\r\ntradecraft. Based on publicly available data, this adversary demonstrated significant efforts to evade, obfuscate,\r\nand clean-up using techniques such as steganography, fingerprinting techniques to identify both target systems as\r\nwell as analysis systems, rotating infrastructure with a focus on geolocation proximity, as well as executing code\r\nin memory as much as possible. These techniques, in combination with using a digitally signed component of a\r\ntrusted software platform as the initial infection vector, are indicative of a highly skilled and covert adversary\r\nwilling to expend resources to assure the success of their operation. \r\nZscaler suggests that all organizations should take several immediate actions, described below, in addition to\r\nreviewing the existing security policies and best practices available to Zscaler customers.\r\nThese actions are recommended for any organization that may be impacted by the SolarWinds event. They are not\r\nintended to be a comprehensive guide to all actions that an organization may take, and each organization should\r\nperform its own due diligence to assess impact and risk.\r\n \r\nInvestigation\r\nOrganizations should immediately identify all systems that may have SolarWinds Orion installed. Once the\r\nsystems are identified, the version should be checked against the list of impacted versions. Depending on the\r\nresult of the version(s)  installed, additional responses may be required. Even if a version is not found on the\r\nimpacted version list, it may be prudent to perform cursory checks to confirm there is no impact to the\r\norganization. \r\nhttps://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response\r\nPage 1 of 5\n\nIf an affected version of Orion is found, that system should be immediately taken offline and all network traffic\r\nblocked inbound and outbound. Any system or user accounts associated with the affected system should be\r\ndisabled and reviewed for legitimacy as well as access. If possible, a forensics image of the affected system should\r\nalso be collected.\r\nNetwork activity\r\nBased on public reporting, a SolarWinds Orion system affected by this event—meaning that the SUNBURST\r\nbackdoor had been successfully installed—would begin network communication to its first stage command and\r\ncontrol (C\u0026C) server at avsvmcloud[.]com. While this activity does indicate that the affected system was within\r\nthe target radius of the attack, it does not confirm additional compromise or post-exploitation actions. Zscaler\r\nInternet Access (ZIA) customers may be able to perform this search within the DNS Insights or Web Insights area\r\nin the portal, or within the log aggregator/SIEM of choice where ZIA logs are sent. This data will however be\r\nlimited to systems that have their network traffic routed to ZIA.\r\nThe following network indicators may be used to perform a sweep for a timeframe extending back to March 2020\r\nor further to discover possible compromised systems (note: additional indicators may be discovered as additional\r\ndata is disclosed). \r\nDomains\r\navsvmcloud[.]com\r\ndigitalcollege[.]org\r\nfreescanonline[.]com\r\ndeftsecurity[.]com\r\nthedoccloud[.]com\r\nwebsitetheme[.]com\r\nhighdatabase[.]com\r\nincomeupdate[.]com\r\ndatabasegalore[.]com\r\npanhardware[.]com\r\nzupertech[.]com\r\nseobundlekit[.]com\r\nlcomputers[.]com\r\nhttps://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response\r\nPage 2 of 5\n\nvirtualdataserver[.]com\r\nwebcodez[.]com\r\ninfinitysoftwares[.]com\r\nervsystem[.]com\r\nbigtopweb[.]com - Added 1/20/21 in relation to RainDrop\r\nIPs\r\n13.59.205.66\r\n54.193.127.66\r\n54.215.192.52\r\n34.203.203.23\r\n139.99.115.204\r\n5.252.177.25\r\n5.252.177.21\r\n204.188.205.176\r\n51.89.125.18\r\n167.114.213.199\r\nAll other internet-bound destinations from the Orion system should also be examined. Additionally, all network\r\nactivity originating from SolarWinds Orion systems to other internal systems should be reviewed for potential\r\nlateral movement. This may prove challenging as most Orion deployments likely allow it to have privileged\r\naccess across the network to a variety of systems. However, it may be possible to carve out a smaller set of data to\r\ninitially analyze by suppressing known-good or expected behaviors from the potentially affected Orion system. \r\nEndpoint\r\nThe SUNBURST backdoor is a digitally signed DLL file with a specific filename and hash. The existence of this\r\nfile on an Orion server is indicative that the adversary was able to gain unauthorized access to the system.\r\nAdditional post-exploitation behaviors may have been performed by the adversary, indicating a successful\r\nintrusion. The following indicators and behaviors may assist in confirming a compromise.\r\nhttps://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response\r\nPage 3 of 5\n\nMD5 hashes\r\nb91ce2fa41029f6955bff20079468448\r\nd5aad0d248c237360cf39c054b654d69\r\n2c4a910a1299cdae2a4e55988a2f102e\r\n846e27a652a5e1bfbd0ddd38a16dc865\r\nFilename\r\nSolarWinds.Orion.Core.BusinessLayer.dll\r\nBehaviors\r\nModification of system tasks\r\ndelete-create-execute-delete-create directory action pattern\r\nNewly created or unknown local user accounts\r\nExistence or evidence of usage of Adfind.exe\r\nSigns of cmd.exe or rundll32.exe spawned from solarwinds.businesslayerhost.exe\r\nExistence of unknown and/or very broad email forwarding/deleting rules on the email gateway\r\nUser account activity\r\nOnce SUNBURST has been deployed, the adversary will most likely begin to perform reconnaissance actions\r\nusing the privileges of the Orion system and explore what is available in terms of additional assets to compromise\r\nor actions to take. The following behaviors may have been observed on the affected Orion system or other systems\r\nthat have had communication with the affected system.\r\nAnomalous logins or repeated failed authentication to internal systems\r\nLogins from unknown or unrecognized external sources to internal systems\r\nExtremely long duration tokens, which may indicate malicious activity (examine SAML tokens for\r\nduration)\r\nZscaler is here to help\r\nAs described in our ThreatLabZ blog post, Zscaler immediately deployed protections to all customers and\r\ncontinues to deploy additional protections and countermeasures as more information becomes available. In\r\naddition, as we had disclosed in our Trust Advisory, Zscaler was not impacted by this event. This may, however,\r\nbe an opportunity for organizations to reassess their security policies and confirm alignment with documented best\r\npractices and recommended policies as described within our documentation, which covers recommendations, such\r\nas:\r\nEnable SSL inspection where possible | SSL Best Practice Guide\r\nhttps://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response\r\nPage 4 of 5\n\nEnable Advanced Threat Protection (ATP) and its associated features | Recommended Policy\r\nEnable Advanced Cloud Sandbox with AI-Driven Quarantine | Recommended Policy\r\nEnable Advanced Cloud Firewall with Cloud IPS | Recommended Policy\r\nEnable Cloud Browser Isolation where possible | About Cloud Browser Isolation\r\nRestrict access to specific URL categories with legitimate business use cases | Recommended Policy\r\nRestrict access to specific file-types with legitimate business use cases | Recommended Policy \r\nConfigure DNS Control | About DNS Control\r\nRequest your complimentary SolarWinds security assessment \r\nZscaler has your back. Engage with our security experts to gain insight into the SolarWinds attacks and get hands-on best practices guidance to better protect your users, applications, and systems: zscaler.com/solarwinds-cyberattack\r\nSource: https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response\r\nhttps://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response"
	],
	"report_names": [
		"hitchhikers-guide-solarwinds-incident-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775438956,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/059e5f3de232cde03d576ce926610a86f5fd966c.pdf",
		"text": "https://archive.orkl.eu/059e5f3de232cde03d576ce926610a86f5fd966c.txt",
		"img": "https://archive.orkl.eu/059e5f3de232cde03d576ce926610a86f5fd966c.jpg"
	}
}