{ "id": "61d1a72d-ab85-4663-8876-b6f2bbb8f0a0", "created_at": "2026-04-06T00:06:30.953515Z", "updated_at": "2026-04-10T13:12:08.089524Z", "deleted_at": null, "sha1_hash": "0f7392db49b5a12b49781c90ee46257aaff91db9", "title": "Autodesk reveals it was targeted by Russian SolarWinds hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1088158, "plain_text": "Autodesk reveals it was targeted by Russian SolarWinds hackers\r\nBy Sergiu Gatlan\r\nPublished: 2021-09-02 · Archived: 2026-04-05 17:32:19 UTC\r\nAutodesk has confirmed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion\r\nsupply-chain attack, almost nine months after discovering that one of its servers was backdoored with Sunburst malware.\r\nThe US software and services company provides millions of customers from the design, engineering, and construction\r\nsectors with CAD (computer-aided design), drafting, and 3D modeling tools.\r\n\"We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents,\" Autodesk\r\nsaid in a recent 10-Q SEC filing.\r\nhttps://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar\r\nattacks could have a significant negative impact on our systems and operations.\"\r\nAn Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst\r\nbackdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough\r\nbefore they were detected.\r\n\"Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were\r\ncollected for forensic analysis, and the software patch was applied,\" the spokesperson said.\r\n\"Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software\r\ninstallation.\"\r\nOne of many tech companies breached in a large-scale hacking spree\r\nThe supply-chain attack that led to SolarWinds's infrastructure getting breached was coordinated by the hacking division of\r\nthe Russian Foreign Intelligence Service (aka APT29, The Dukes, or Cozy Bear).\r\nAfter gaining access to the company's internal systems, the attackers trojanized the Orion Software Platform source code and\r\nbuilds released between March 2020 and June 2020.\r\nThese malicious builds were later used to deliver a backdoor tracked as Sunburst to \"fewer than 18,000,\" but, luckily, the\r\nthreat actors only picked a substantially lower number of targets for second-stage exploitation.\r\nAs a direct result of this supply-chain attack, the Russian state hackers gained access to the networks of multiple US federal\r\nagencies and private tech sector firms.\r\nBefore the attack was disclosed, SolarWinds said it had 300,000 customers worldwide [1, 2], including over 425 US Fortune\r\n500 companies, all top ten US telecom companies.\r\nThe company's customer list also included a long list of govt agencies (the US Military, the US Pentagon, the State\r\nDepartment, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the\r\nUnited States).\r\nAt the end of July, the US Department of Justice was the latest US government entity to disclose that 27 US Attorneys'\r\noffices were breached during last year's SolarWinds global hacking spree.\r\nSolarWinds has reported expenses of $3.5 million from dealing with last year's supply-chain attack in March 2021, including\r\nremediation and incident investigation costs.\r\nhttps://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/\r\nhttps://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/" ], "report_names": [ "autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433990, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f7392db49b5a12b49781c90ee46257aaff91db9.pdf", "text": "https://archive.orkl.eu/0f7392db49b5a12b49781c90ee46257aaff91db9.txt", "img": "https://archive.orkl.eu/0f7392db49b5a12b49781c90ee46257aaff91db9.jpg" } }