{ "id": "25b948b2-24e2-4921-956b-738e30ee136d", "created_at": "2026-04-06T02:11:53.22706Z", "updated_at": "2026-04-10T03:37:33.04432Z", "deleted_at": null, "sha1_hash": "248f6cd98fd79af01c822eb8d4f6608f8334505a", "title": "Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 244605, "plain_text": "Advanced Persistent Threat Compromise of Government Agencies,\r\nCritical Infrastructure, and Private Sector Organizations | CISA\r\nPublished: 2021-04-15 · Archived: 2026-04-06 01:29:27 UTC\r\nSummary\r\nUpdated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).\r\nAdditional information may be found in a statement from the White House. For more information on SolarWinds-related\r\nactivity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies,\r\ncritical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at\r\nleast March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these\r\nintrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and\r\nchallenging for organizations.\r\n(Updated January 6, 2021): One of the initial access vectors for this activity is a supply chain compromise of a Dynamic\r\nLink Library (DLL) in the following SolarWinds Orion products (see Appendix A). Note: prior versions of this Alert\r\nincluded a single bullet that listed two platform versions for the same DLL. For clarity, the Alert now lists these platform\r\nversions that share the same DLL version number separately, as both are considered affected versions.\r\nOrion Platform 2019.4 HF5, version 2019.4.5200.9083\r\nOrion Platform 2020.2 RC1, version 2020.2.100.12219\r\nOrion Platform 2020.2 RC2, version 2020.2.5200.12394\r\nOrion Platform 2020.2, version 2020.2.5300.12432\r\nOrion Platform 2020.2 HF1, version 2020.2.5300.12432\r\nNote (updated January 6, 2021): CISA has evidence that there are initial access vectors other than the SolarWinds Orion\r\nplatform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors\r\nsection). Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup\r\nLanguage (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances\r\nhave not been identified. CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics,\r\ntechniques, and procedures (TTPs). CISA will update this Alert as new information becomes available. Refer to\r\nCISA.gov/supply-chain-compromise for additional resources.\r\n(Updated January 6, 2021): On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion\r\nCode Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices.\r\nCISA has subsequently issued supplemental guidance to Emergency Directive (ED) 21-01, most recently on January 6,\r\n2021. Note: this Activity Alert does not supersede the requirements of ED 21-01 or any supplemental guidance and does not\r\nrepresent formal guidance to federal agencies under ED 21-01.\r\nCISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial\r\ngovernments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to\r\nread this Alert and review the enclosed indicators (see Appendix B).\r\nKey Takeaways (updated December 18, 2020)\r\nThis is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.\r\nCISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise.\r\nNot all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary\r\nwith follow-on actions.\r\nOrganizations with suspected compromises need to be highly conscious of operational security, including when\r\nengaging in incident response activities and planning and implementing remediation plans. \r\n(Updated January 8, 2021) For a downloadable list of indicators of compromise (IOCs), see the STIX file.\r\n(Updated April 15, 2021) See the following Malware Analysis Reports (MARs) for additional technical details and\r\nassociated IOCs:\r\nAR21-039A: MAR-10318845-1.v1 - SUNBURST\r\nAR21-039B: MAR-10320115-1.v1 - TEARDROP\r\nAR21-105A: MAR-10327841-1.v1 – SUNSHUTTLE\r\nTechnical Details\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 1 of 14\n\nOverview\r\nCISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical\r\ninfrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication\r\nand complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments\r\nwill be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and\r\nshown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and\r\nTTPs that have not yet been discovered. CISA will continue to update this Alert and the corresponding IOCs as new\r\ninformation becomes available.\r\nInitial Infection Vectors [TA0001 ]\r\n(Updated January 6, 2021): CISA is investigating incidents that exhibit adversary TTPs consistent with this activity,\r\nincluding some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where\r\nthere was no SolarWinds exploitation activity observed. CISA incident response investigations have identified that initial\r\naccess in some cases was obtained by password guessing [T1101.001 ], password spraying [T1101.003 ], and\r\ninappropriately secured administrative credentials [T1078 ] accessible via external remote access services [T1133 ].\r\nInitial access root cause analysis is still ongoing in a number of response activities and CISA will update this section as\r\nadditional initial vectors are identified.\r\nVolexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to\r\ngenerate a cookie to bypass the Duo multi-factor authentication (MFA) protecting access to Outlook Web App (OWA).[1 ]\r\nVolexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are\r\nconsistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion,\r\nand there may still be others that are not yet known.\r\nSolarWinds Orion Supply Chain Compromise [T1195.002 ]\r\nSolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring\r\nand network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to\r\nmonitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into\r\nthis diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive\r\nprivileges, making it a valuable target for adversary activity.\r\nThe threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2 ] (see\r\nAppendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the\r\nSolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary,\r\nonce installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate\r\nSolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to\r\nselectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities\r\nthat observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the\r\nadversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds\r\nOrion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions\r\nassociated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the backdoor\r\nhas occurred.\r\nBased on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to\r\n20.140.0[.]1 , which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would\r\nhave caused communications with this domain to cease. In the case of infections where the attacker has already moved C2\r\npast the initial beacon, infection will likely continue notwithstanding this action.\r\nSolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal\r\nbusiness functions. Successful compromise of one of these systems can therefore enable further action and privileges in any\r\nenvironment where these accounts are trusted.\r\nAnti-Forensic Techniques\r\nThe adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual\r\nprivate servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their\r\nactivity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different\r\nendpoints to obscure their activity and avoid detection.\r\nFireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography\r\n[T1027.003 ]) to obscure C2 communications.[3 ] This technique negates many common defensive capabilities in\r\ndetecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 2 of 14\n\nAccording to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved\r\nIPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis\r\nsandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor\r\nimplemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts,\r\nfurther frustrating traditional network-based analysis.\r\nWhile not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for\r\nlateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but\r\nunauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions\r\nthat are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department\r\nwould need to access the cyber threat intelligence database.\r\nTaken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is\r\nwilling to expend significant resources to maintain covert presence.\r\nPrivilege Escalation and Persistence [TA0004 , TA0003 ]\r\n(Updated January 6, 2021): The adversary has been observed using multiple persistence mechanisms across a variety of\r\nintrusions. CISA has observed the threat actor adding authentication credentials, in the form of assigning tokens and\r\ncertificates, to existing Azure/Microsoft 365 (M365) application service principals. These additional credentials provide\r\npersistence and escalation mechanisms and a programmatic method of interacting with the Microsoft Cloud tenants (often\r\nwith Microsoft Graph Application Programming Interface [API]) to access hosted resources without significant evidence or\r\ntelemetry being generated.\r\n(Updated January 6, 2021): Microsoft reported that the actor has added new federation trusts to existing on-premises\r\ninfrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded.\r\nWhere this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure\r\nand may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity, as well as\r\na Sentinel detection for identifying changes to the identity federation from a user or application.[4]\r\nUser Impersonation\r\n(Updated January 6, 2021): The adversary’s initial objectives, as understood today, appear to be to collect information from\r\nvictim environments. One method the adversary is accomplishing this objective is by compromising the SAML signing\r\ncertificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized\r\nbut valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used\r\nto access resources in hosted environments, such as email, for data exfiltration via authorized APIs. During the persistence\r\nphase, the additional credentials being attached to service principals obfuscates the activity of user objects, because they\r\nappear to be accessed by the individual, and such individual access is normal and not logged in all M365 licensing levels.\r\nCISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including\r\nIT and incident response personnel.\r\nThese are some key functions and systems that commonly use SAML.\r\nHosted email services\r\nHosted business intelligence applications\r\nTravel systems\r\nTimecard systems\r\nFile storage services (such as SharePoint and OneDrive)\r\n(New January 6, 2021): Detection: Identifying Compromised Azure/M365 Resources\r\nCISA created Sparrow.ps1[5 ] to help detect possible compromised accounts and applications in the Azure/M365\r\nenvironment. Sparrow is intended for use by incident responders and focuses on the narrow scope of user and application\r\nactivity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive\r\nnor exhaustive of available data and is intended to narrow a larger set of available investigation modules and telemetry to\r\nthose specific to recent intrusions on federated identity sources and applications. Sparrow can be found on CISA’s GitHub\r\npage at https://github.com/cisagov/Sparrow .\r\nDetection: Impossible Logins\r\nThe adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection\r\nopportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that\r\nare a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of\r\nthe two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in\r\nfalse positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 3 of 14\n\nDetection: Impossible Tokens\r\nThe following conditions may indicate adversary activity.\r\n(Updated January 6, 2021): Most organizations have SAML tokens with 1-hour validity periods. Long SAML token\r\nvalidity durations, such as 24 hours, could be unusual. Exact values (measured in precise seconds) is also considered\r\nunusual.\r\nThe SAML token contains different timestamps, including the time it was issued and the last time it was used. A\r\ntoken having the same timestamp for when it was issued and when it was used is not indicative of normal user\r\nbehavior as users tend to use the token within a few seconds but not at the exact same time of issuance.\r\nA token that does not have an associated login with its user account within an hour of the token being generated also\r\nwarrants investigation.\r\n(New January 6, 2021): Tokens with missing or unusual MFA details, when MFA is enforced, is considered an\r\nanomaly and should be investigated. This requires correlation of identity provider (iDP) logs with cloud access;\r\ndifferences in claims indicate manipulated values. All claims should have a corresponding iDP entry.\r\n(New December 21, 2020): see the National Security Agency (NSA) Cybersecurity Advisory: Detecting Abuse of\r\nAuthentication Mechanisms for additional detection methods as well as mitigation recommendations.\r\nOperational Security\r\nDue to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT\r\nemail accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by\r\noperational security measures. An operational security plan needs to be developed and socialized, via out-of-band\r\ncommunications, to ensure all staff are aware of the applicable handling caveats.\r\nOperational security plans should include:\r\nOut-of-band communications guidance for staff and leadership;\r\nAn outline of what “normal business” is acceptable to be conducted on the suspect network;\r\nA call tree for critical contacts and decision making; and\r\nConsiderations for external communications to stakeholders and media.\r\nMITRE ATT\u0026CK® Techniques\r\nCISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT\u0026CK\r\ntechniques.\r\nQuery Registry [T1012 ]\r\nObfuscated Files or Information [T1027 ]\r\nObfuscated Files or Information: Steganography [T1027.003 ]\r\nProcess Discovery [T1057 ]\r\nIndicator Removal on Host: File Deletion [T1070.004 ]\r\nApplication Layer Protocol: Web Protocols [T1071.001 ]\r\nApplication Layer Protocol: DNS [T1071.004 ]\r\nFile and Directory Discovery [T1083 ]\r\nIngress Tool Transfer [T1105 ]\r\nData Encoding: Standard Encoding [T1132.001 ]\r\nSupply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001 ]\r\nSupply Chain Compromise: Compromise Software Supply Chain [T1195.002 ]\r\nSoftware Discovery [T1518 ]\r\nSoftware Discovery: Security Software [T1518.001 ]\r\nCreate or Modify System Process: Windows Service [T1543.003 ]\r\nSubvert Trust Controls: Code Signing [T1553.002 ]\r\nDynamic Resolution: Domain Generation Algorithms [T1568.002 ]\r\nSystem Services: Service Execution [T1569.002 ]\r\nCompromise Infrastructure [T1584 ]\r\nMitigations\r\n(Updated January 6, 2021) SolarWinds Orion Owners\r\nNetworks with SolarWinds Orion products will generally fall into one of three categories. (Note: for the purposes of\r\nmitigation analysis, a network is defined as any computer network with hosts that share either a logical trust or any account\r\ncredentials with SolarWinds Orion.)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 4 of 14\n\nCategory 1 includes those who do not have the identified malicious binary code on their network and can\r\nforensically confirm that the binary was never present on their systems. This includes networks that do not, and never\r\ndid, utilize the affected versions of SolarWinds Orion products (see Appendix A).\r\nCategory 2 includes networks where the presence of the malicious binary has been identified—with or without\r\nbeaconing to avsvmcloud[.]com . This includes networks that previously utilized affected versions of SolarWinds\r\nOrion but where the organization has forensically verified (through comprehensive network monitoring and analysis)\r\nthat platforms running the affected software either:\r\na. Had no beaconing, or\r\nb. Only beaconed to avsvmcloud[.]com and have not had any secondary C2 activity to a separate domain or IP\r\naddress or other adversary activity or secondary actions on objectives (AOOs),[6 ] such as SAML token\r\nabuse.\r\n \r\nCategory 2 organizations, after conducting appropriate forensic analysis to ensure they only have Category 2 activity,\r\ncan rebuild the platform, harden the configuration based on SolarWinds secure configuration guidelines, and resume\r\nuse as determined by and consistent with their thorough risk evaluation. For entities not subject to ED 21-01, this can\r\nbe accomplished by following the steps below. Federal agencies subject to ED 21-01 must follow the appropriate\r\nsteps as outlined in the effective ED 21-01 supplemental guidance.\r\na. Denying all incoming and outgoing ( any:any ) communications outside of the organization’s device network\r\nmanagement enclave, with additional assurance that communications to the public internet to and from hosts\r\nrunning SolarWinds Orion products has been blocked.\r\nb. Cloud instances of Orion should only monitor cloud resources in that cloud infrastructure.\r\nc. On-premises instances of Orion should not be permissioned with any cloud/hosted identity accounts.\r\nd. Restoration of SolarWinds may be done from the legacy database following the SolarWinds restore guidance\r\n(http://solarwinds.com/upgrading-your-environment ). Restoration for affected versions will differ from\r\nrestoration for unaffected versions—agencies must ensure that they are following the correct restoration\r\nguidance.\r\ne. Before building SolarWinds:\r\ni. All account credentials, or other shared secrets (e.g., Simple Network Management Protocol [SNMP]\r\nstrings) that are or had been utilized by the affected SolarWinds Orion device being rebuilt should be\r\nchanged.\r\nii. Enable MFA for these credentials, whenever possible.\r\niii. Provide service accounts with the minimum privilege necessary for the role performed, whenever\r\npossible.\r\niv. For accounts where MFA is not possible  (e.g., service accounts), use randomly generated long and\r\ncomplex passwords (greater than 25 characters) and implement a maximum 90-day rotation policy for\r\nthese passwords.\r\nv. Remove all inbound trust relationships to the SolarWinds Orion device being rebuilt.\r\nf. Re-building a SolarWinds Orion Platform to at least version 2020.2.1 HF2 and updating the host to the latest\r\nsupported build, at least Windows 2016.\r\ng. Following the SolarWinds secure configuration (hardening) guidelines provided by the vendor, which can be\r\nfound at: https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm . CISA does not recommend configuring the SolarWinds software to implement SAML-based authentication that relies on Microsoft’s Active Directory Federated Services if it has not already been\r\nconfigured to leverage SAML. This configuration is currently being exploited by the threat actor with this\r\nactivity.\r\nh. Configuring logging to ensure that all logs on the host operating system and SolarWinds platform are being\r\ncaptured and stored for at least 180 days.\r\ni. Configure logging to ensure that all logs from the host OS, SolarWinds platform, and associated network logs\r\nare being captured and stored for at least 180 days in a separate, centralized log aggregation capability.\r\nj. Implementing subsequent SolarWinds Orion Platform updates. CISA recommends installing all updates\r\nwithin 48 hours of release. \r\n \r\nCategory 3 includes those networks that used affected versions of SolarWinds Orion and have evidence of follow-on\r\nthreat actor activity, such as binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain\r\nor IP address (typically but not exclusively returned in avsvmcloud[.]com CNAME responses). Additionally,\r\norganizations that have observed communications with avsvmcloud[.]com that appear to suddenly cease prior to\r\nDecember 14, 2020—not due to an action taken by their network defenders—fall into this category. Assume the\r\nenvironment has been compromised, and initiate incident response procedures immediately. Recovery and\r\nremediation of Category 3 activity requires a complex reconstitution and mitigation plan, which may include\r\ncomprehensively rebuilding the environment. This should be coordinated with an organization’s leadership and\r\nincident response team.\r\nCompromise Mitigations\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 5 of 14\n\n(Updated January 6, 2021): If the adversary has compromised administrative level credentials in an environment—or if\r\norganizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific\r\nuser accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider\r\nthe entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and\r\ntrust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the\r\nmost capable, and in many cases, a full rebuild of the environment is the safest action. A Microsoft blog post, Advice for\r\nincident responders on recovery from systemic identity compromises outlines processes and procedures needed to remediate\r\nthis type of activity and retain administrative control of an environment. In addition to the recommendations in this blog\r\npost, CISA recommends the following actions:\r\n1. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with\r\nexperience eradicating APTs from enterprise networks. For Windows environments, refer to the following:\r\na. See Microsoft’s documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448 .\r\nb. Change all account credentials, or other shared secrets (e.g., SNMP strings) that were potentially exposed:\r\ni. Enable MFA for these credentials, whenever possible;\r\nii. Provide service accounts with the minimum level of privilege necessary for the role performed,\r\nwhenever possible; and\r\niii. For accounts where MFA is not possible, require use of randomly generated long and complex\r\npasswords (greater than 25 characters) and implement a maximum 90-day rotation policy for these\r\npasswords.\r\nc. Replace the user accounts with a Group Managed Service Account (gMSA). See\r\nhttps://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview , and Implement Group Managed Service Accounts:\r\nhttps://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview .\r\nd. Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES,\r\nRC4, or AES128 bit encryption\r\ne. Define the Security Policy setting, for Network Security: Configure Encryption types allowed for Kerberos.\r\nSet the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos\r\nf. See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password, twice:\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password .\r\nSolarWinds Orion Specific Mitigations\r\nThe following mitigations apply to networks using the SolarWinds Orion product. This includes any information system that\r\nis used by an entity or operated on its behalf.\r\nOrganizations that have the expertise to take the actions in Step 1 immediately should do so before proceeding to Step 2.\r\nOrganizations without this capability should proceed to Step 2. Federal civilian executive branch agencies should ignore the\r\nbelow and refer instead to Emergency Directive 21-01 (and forthcoming associated guidance) for mitigation steps.\r\nStep 1\r\nForensically image system memory and/or host operating systems hosting all instances of affected\r\nversions of SolarWinds Orion. Analyze for new user or service accounts, privileged or otherwise.\r\nAnalyze stored network traffic for indications of compromise, including new external DNS domains to which\r\na small number of agency hosts (e.g., SolarWinds systems) have had connections.\r\nStep 2\r\nAffected organizations should immediately disconnect or power down affected all instances of affected\r\nversions of SolarWinds Orion from their network.\r\nAdditionally:\r\nBlock all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion\r\nsoftware has been installed.\r\nIdentify and remove all threat actor-controlled accounts and identified persistence mechanisms.  \r\nStep 3  \r\nOnly after all known threat actor-controlled accounts and persistence mechanisms have been removed:\r\nTreat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat\r\nactors and assume that the threat actor has deployed further persistence mechanisms.\r\nRebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.\r\nReset all credentials used by or stored in SolarWinds software. Such credentials should be considered\r\ncompromised.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 6 of 14\n\n(New December 19, 2020) For all network devices (routers, switches, firewalls, etc.) managed by affected\r\nSolarWinds servers that also have indications of additional adversary activity, CISA recommends the following steps:\r\nDevice configurations\r\nAudit all network device configurations, stored or managed on the SolarWinds monitoring server, for\r\nsigns of unauthorized or malicious configuration changes.\r\nAudit the configurations found on network devices for signs of unauthorized or malicious\r\nconfiguration changes. Organizations should ensure they audit the current network device running\r\nconfiguration and any local configurations that could be loaded at boot time.\r\nCredential and security information reset\r\nChange all credentials being used to manage network devices, to include keys and strings used to\r\nsecure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing\r\nsecrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.).\r\nFirmware and software validation\r\nValidate all network device firmware/software which was stored or managed on the SolarWinds\r\nmonitoring server. Cryptographic hash verification should be performed on such firmware/software\r\nand matched against known good hash values from the network vendor. CISA recommends that, if\r\npossible, organizations download known good versions of firmware.\r\nFor network devices managed by the SolarWinds monitoring server, the running firmware/software should be\r\nchecked against known good hash values from the network vendor. CISA recommends that, if possible, organizations\r\nre-upload known good firmware/software to managed network devices and perform a reboot.\r\nSee Joint Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on\r\nincident investigation and mitigation steps based on best practices.\r\nCISA will update this Alert, as information becomes available and will continue to provide technical assistance, upon\r\nrequest, to affected entities as they work to identify and mitigate potential compromises.\r\nContact Information\r\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat.\r\nFor any questions related to this report, please contact CISA at\r\n1-844-Say-CISA (From outside the United States: +1-703-235-8832)\r\ncentral@cisa.dhs.gov (UNCLASS)\r\nus-cert@dhs.sgov.gov (SIPRNET)\r\nus-cert@dhs.ic.gov (JWICS)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at\r\nhttp://www.us-cert.cisa.gov/.\r\nAppendix A: Affected SolarWinds Orion Products\r\nTable 1 identifies recent versions of SolarWinds Orion Platforms and indicates whether they have been identified as having\r\nthe Sunburst backdoor present. (Updated January 6, 2021: added SHA-1 and MD5 hashes to table 1; updated SHA-256 hash\r\nfor version 2019.4 HF6).\r\nTable 1: Affected SolarWinds Orion Products\r\nOrion\r\nPlatform\r\nVersion\r\nSunburst\r\nBackdoor\r\nCode\r\nPresent\r\nFile Version SHA-256 SHA-1\r\n2019.4\r\nTampered\r\nbut not\r\nbackdoored\r\n2019.4.5200.8890 a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 5e643654179e8b\r\n2019.4\r\nHF1\r\nNo 2019.4.5200.8950 9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690 48e84a1ed30d36f\r\n2019.4\r\nHF2\r\nNo 2019.4.5200.8996 bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d 162bb92a18bb39\r\n2019.4\r\nHF3\r\nNo 2019.4.5200.9001 ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad 98bb0c5d1a7114\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 7 of 14\n\nOrion\r\nPlatform\r\nVersion\r\nSunburst\r\nBackdoor\r\nCode\r\nPresent\r\nFile Version SHA-256 SHA-1\r\n2019.4\r\nHF4\r\nNo 2019.4.5200.9045 9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee 2a255070160b1c\r\n2020.2\r\nRC1\r\nYes 2020.2.100.12219 dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b 1acf3108bf1e376\r\n2019.4\r\nHF5\r\nYes 2019.4.5200.9083 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 76640508b1e775\r\n2020.2\r\nRC2\r\nYes 2020.2.5200.12394 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 2f1a5a7411d015d\r\n2020.2\r\n2020.2\r\nHF1\r\nYes 2020.2.5300.12432 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 d130bd75645c24\r\n2019.4\r\nHF6\r\nNo 2019.4.5200.9106 8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a 00f66fc1f74b9eca\r\n2020.2.1\r\n2020.2.1\r\nHF1\r\nNo 2020.2.15300.12766 143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a 8acbcc116baa802\r\n2020.2.1\r\nHF2\r\nNo 2020.2.15300.12901 cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f babf9af689033fa2\r\nAppendix B: Indicators of Compromise\r\nDue to the operational security posture of the adversary, most observable IOCs are of limited utility; however, they can be\r\nuseful for quick triage. Below is a compilation of IOCs from a variety of public sources provided for convenience. CISA\r\nwill be updating this list with CISA developed IOCs as our investigations evolve. Note: removed two IOCs (12.227.230[.]4,\r\n65.153.203[.]68) and corrected typo, updated December 19, 2020; added multiple new IOCs on January 6, 2021 (new IOCs\r\nadded are at the bottom of the table); corrected typos, added new IOC, and deleted duplicate hash on January 7, 2021.\r\nTable 2: Indicators of Compromise\r\n IOC   Type   Notes  References \r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77  hash  Backdoor.Sunburst \r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\na25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc hash Backdoor.Sunburst\r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\nd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af hash Backdoor.Sunburst\r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\n13.59.205[.]66 IPv4 DEFTSECURITY[.]com\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\ndeftsecurity[.]com domain\r\nDomain malicious on VT,\r\nregistered with  Amazon,\r\nhosted on US IP address\r\n13.59.205.66, malware\r\nrepository, spyware and\r\nmalware\r\nhttps://www.virustotal.co\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n54.193.127[.]66 IPv4 FREESCANONLINE[.]com\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 8 of 14\n\nIOC   Type   Notes  References \r\nac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c hash No info available\r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\nc09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 hash No info available\r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\ndab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b hash No info available\r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\neb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed hash No info available\r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\navsvmcloud[.]com domain\r\nReported by FireEye/ The\r\nmalicious DLL calls out to a\r\nremote network\r\ninfrastructure using the\r\ndomains avsvmcloud[.]com.\r\nto prepare possible second-stage payloads, move\r\nlaterally in the organization,\r\nand compromise or\r\nexfiltrate data. Malicious on\r\nVT. Hosted on IP address\r\n20.140.0.1, which is\r\nregistered with Microsoft. \r\nmalware callhome,\r\ncommand and control\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n3.87.182[.]149 IPv4\r\nResolves to\r\nKUBECLOUD[.]com, IP\r\nregistered to Amazon.\r\nTracked by Insikt/RF as tied\r\nto SUNBURST intrusion\r\nactivity.\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n3.16.81[.]254 IPv4\r\nResolves to\r\nSEOBUNDLEKIT[.]com,\r\nregistered to Amazon.\r\nTracked by Insikt/RF as tied\r\nSUNBURST intrusion\r\nactivity.\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n54.215.192[.]52 IPv4 THEDOCCLOUD[.]com\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134  hash Trojan.MSIL.SunBurst\r\nttps://msrc-blog.microso\r\non-recent-nation-state-cy\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 hash Trojan.MSIL.SunBurst\r\nhttps://msrc-blog.micros\r\nguidance-on-recent-natio\r\n8.18.144[.]11 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]12 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]9 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]20 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]40 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]44 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 9 of 14\n\nIOC   Type   Notes  References \r\n8.18.144[.]62 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]130 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]135 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]136 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]149 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]156 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]158 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]165 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]170 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]180 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.144[.]188 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]3 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]21 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]33 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]36 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]131 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]134 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]136 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]139 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]150 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]157 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n8.18.145[.]181 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n13.57.184[.]217 IPv4\r\n(corrected typo in this IOC\r\nDecember 18, 2020)\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n18.217.225[.]111 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 10 of 14\n\nIOC   Type   Notes  References \r\n18.220.219[.]143 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n20.141.48[.]154 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n34.219.234[.]134 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.1[.]3 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.21[.]54 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.48[.]22 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.101[.]22 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.113[.]55 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.145[.]34 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.209[.]33 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.212[.]52 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.224[.]3 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.229[.]1 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.240[.]3 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n184.72.245[.]1 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\n196.203.11[.]89 IPv4  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\ndigitalcollege[.]org domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nfreescanonline[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nglobalnetworkissues[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nkubecloud[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nlcomputers[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nseobundlekit[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nsolartrackingsystem[.]net domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nthedoccloud[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 11 of 14\n\nIOC   Type   Notes  References \r\nvirtualwebdata[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nwebcodez[.]com domain  \r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 hash  \r\nhttps://blog.malwarebyte\r\nanalysis/2020/12/advanc\r\npublic\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 hash  \r\nhttps://blog.malwarebyte\r\nanalysis/2020/12/advanc\r\npublic\r\nervsystem[.]com domain\r\nNew January 6, 2021\r\nResolves to 198.12.75[.]112\r\nhttps://symantec-enterpr\r\nintelligence/sunburst-sup\r\ninfinitysoftwares[.]com domain\r\nNew January 6, 2021\r\nUpdated January 7, 2021:\r\ncorrected typo in this IOC;\r\nupdated source\r\nhttps://otx.alienvault.com\r\nmobilnweb[.]com domain\r\nNew January 6, 2021\r\nUpdated January 7, 2021:\r\nupdated source\r\n \r\n02AF7CEC58B9A5DA1C542B5A32151BA1 Hash\r\nNew January 6, 2021\r\nSunburst Installer\r\nFile Name(s): CORE-2019.4.5220.20574-\r\nSolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\n \r\n0548eedb3d1f45f1f9549e09d00683f3a1292ec5 Hash\r\nNew January 6, 2021\r\nSSL hash for\r\n198.12.75[.]112\r\n \r\n0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 Hash New January 6, 2021  \r\n1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c Hash\r\nNew January 6, 2021\r\nSunburst Backdoor\r\nhttps://symantec-enterpr\r\nintelligence/sunburst-sup\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 12 of 14\n\nIOC   Type   Notes  References \r\n1b476f58ca366b54f34d714ffce3fd73cc30db1a Hash\r\nNew January 6, 2021\r\nSunburst Installer\r\nFile Name(s):\r\nCORE-2019.4.5220.20574-\r\nSolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\n \r\n20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 Hash New January 6, 2021  \r\n2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d Hash New January 6, 2021 https://otx.alienvault.com\r\n2dafddbfb0981c5aa31f27a298b9c804e553c7bc Hash New January 6, 2021  \r\n6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d Hash New January 6, 2021  \r\n92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690 Hash New January 6, 2021  \r\na3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d Hash New January 6, 2021  \r\na58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2 Hash New January 6, 2021  \r\nb820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 Hash\r\nNew January 6, 2021\r\nSunburst Backdoor\r\nhttps://symantec-enterpr\r\nintelligence/sunburst-sup\r\nb8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666 Hash New January 6, 2021 https://otx.alienvault.com\r\ncc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 Hash New January 6, 2021  \r\ne0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d Hash New January 6, 2021  \r\ne70b6be294082188cbe0089dd44dbb86e365f6a2 Hash\r\nNew January 6, 2021\r\nSSL hash for\r\n107.152.35[.]77\r\n \r\nfd15760abfc0b2537b89adc65b1ff3f072e7e31c Hash New January 6, 2021 https://otx.alienvault.com\r\nffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8 Hash New January 6, 2021 https://otx.alienvault.com\r\n107.152.35[.]77 IPv4\r\nNew January 6, 2021\r\nResolves to\r\ninfinitysoftwares[.]com\r\n \r\n13.59.205[.]66 IPv4 New January 6, 2021 https://otx.alienvault.com\r\n173.237.190[.]2 IPv4 New January 6, 2021  \r\n198.12.75[.]112 IPv4\r\nNew January 6, 2021\r\nResolves to\r\nervsystem[.]com\r\nUpdated January 7, 2021:\r\nCorrected typo in resolves\r\nto domain\r\n \r\n20.141.48[.]154 IPv4\r\nNew January 6, 2021\r\nhttps://www.volexity.com\r\nleverages-solarwinds-co\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 13 of 14\n\nIOC   Type   Notes  References \r\nUpdated January 7, 2021:\r\nupdated reference and\r\nsource\r\n34.203.203[.]23 IPv4 New January 7, 2021  \r\nReferences\r\n[1] Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations\r\n[2] SolarWinds Security Advisory\r\n[3] FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With\r\nSUNBURST Backdoor\r\n[4] GitHub: Azure / Azure-Sentinel - ADFSDomainTrustMods.yaml\r\n[5] GitHub: CISA: Sparrow\r\n[6] Lockheed Martin: Seven Ways to Apply the Cyber Kill Chain with a Threat Intelligence Platfor\r\nRevisions\r\nInitial version: December 17, 2020|December 18, 2020: Updated note regarding initial vectors and key\r\ntakeaways.|December 19, 2020: Updated mitigation guidance, indicators of compromise table, and provided a downloadable\r\nSTIX file of the IOCs.|December 21, 2020: Added reference to NSA Cybersecurity Advisory: Detecting Abuse of\r\nAuthentication Methods|December 23, 2020: Added link to CISA.gov/supply-chain-compromise|January 06, 2021: Updated\r\nInitial Access Vectors, Mitigations, and IOCs|January 07, 2021: Updated IOCs|Febraury 08, 2021: Updated IOCs|April 13,\r\n2021: Fixed Spelling Error|April 15, 2021: Updated with Attribution Statement and SUNSHUTTLE MAR\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a" ], "report_names": [ "aa20-352a" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441513, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/248f6cd98fd79af01c822eb8d4f6608f8334505a.pdf", "text": "https://archive.orkl.eu/248f6cd98fd79af01c822eb8d4f6608f8334505a.txt", "img": "https://archive.orkl.eu/248f6cd98fd79af01c822eb8d4f6608f8334505a.jpg" } }