{ "id": "9fc68be7-d3ae-4cad-b2a2-32e8726381be", "created_at": "2026-04-06T00:11:55.993567Z", "updated_at": "2026-04-10T13:12:50.461775Z", "deleted_at": null, "sha1_hash": "263ea360554779e7cb0e645cbb8bf17a7d045526", "title": "SolarWinds Orion and UNC2452 - Summary and Recommendations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74717, "plain_text": "SolarWinds Orion and UNC2452 - Summary and\r\nRecommendations\r\nArchived: 2026-04-05 22:26:11 UTC\r\nIn the wake of recent revelations regarding a supply chain compromise of the SolarWinds Orion platform by a\r\nnation-state actor, and subsequent targeting of private sector and government organizations by said actor, the\r\nTrustedSec Incident Response team is releasing the following summary and guidance. This guidance reflects\r\ninformation from industry counterparts as well as recommendations derived from internal experience. To reiterate,\r\nthis document represents a consolidation of the vast number of useful resources and information being shared by\r\nthe community; it is intended to provide a convenient source of information and guidance as the situation\r\ndevelops, not to label existing research as our own.\r\nFor the purposes of this discussion, we will be referring to the threat actor dubbed “UNC2452” by FireEye and the\r\ncorresponding malware identified as “SUNBURST,” which has capabilities to deliver a memory-only dropper\r\nnamed “TEARDROP,” which in turn has been observed delivering Cobalt Strike Beacon and other malware.\r\nHighlights\r\nUNC2452 has been observed leveraging a supply chain compromise to serve backdoored updates for the\r\nSolarWinds Orion Platform software.\r\nAs such, the initial access vector into a target environment is the Orion software itself, rather than\r\n“traditional” access vectors such as RDP or phishing.\r\nCompromised builds of the SolarWinds Orion Platform include versions 2019.4 HF 5 through 2020.2.1,\r\nreleased between March 2020 and June 2020.\r\nThe malicious update is digitally signed by SolarWinds and has been publicly available since March\r\n2020.\r\nThe threat actor has implemented extensive measures to blend their activity with legitimate SolarWinds\r\nbehavior, with the goal of evading detection.\r\nThe threat actor has been observed conducting a variety of post-exploitation activities to act on objectives\r\nand establish long-term access, including:\r\nAdding or modifying federation trusts in Azure AD to accept tokens signed with actor-owned\r\ncertificates;\r\nAdding x509 keys/password credentials to OAuth Applications or Service Principals, often with the\r\ngoal of reading mail content from Exchange Online services; and\r\nLeveraging memory-only droppers to deploy Cobalt Strike BEACON and potentially other\r\nbackdoors.\r\nRecommendations Related to SolarWinds Orion Product\r\nUpgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. [1]\r\nhttps://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/\r\nPage 1 of 4\n\nDirections for checking which version of the Orion Platform you are using can be found here:\r\nhttps://support.solarwinds.com/SuccessCenter/s/article/Determine-which-version-of-a-SolarWinds-Orion-product-I-have-installed?language=en_US\r\nTo check which hotfixes you have applied, go here:\r\nhttps://support.solarwinds.com/SuccessCenter/s/article/Verify-hotfixes-that-have-been-installed?\r\nlanguage=en_US\r\nIf you cannot upgrade immediately, follow guidelines available here for hardening your Orion\r\nPlatform instance:\r\nhttps://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/trust-center/resources/secure-configuration-in-the-orion-platform.ashx?\r\nrev=32603e0c87d84085b081f99a33fe5f4d\u0026hash=62A998B9753957D82BC0F07005D38368\r\nNamely, ensure your Orion Platform installation is placed behind a firewall, disable Internet access to the\r\nOrion Platform, and limit the ports and connections only to what is necessary.\r\nSolarWinds expects to release an additional hotfix (2020.2.1 HF 2) on Tuesday, December 15, 2020.\r\nThis hotfix will replace the compromised software component and provide additional\r\nsecurity enhancements.\r\nMicrosoft recommends considering disabling SolarWinds in your environment entirely, “until you\r\nare confident that you have a trustworthy build free of injected code.”\r\nIf SolarWinds infrastructure is not isolated, consider taking the following steps:\r\nRestrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be\r\nconsidered Tier 0/crown jewel assets;\r\nRestrict the scope of accounts that have local administrator privileges on SolarWinds servers; and\r\nBlock Internet egress from servers or other endpoints with SolarWinds software.\r\nConsider (at a minimum) changing passwords for accounts that have access to SolarWinds\r\nservers/infrastructure. Based upon further review/investigation, additional remediation measures may be\r\nrequired.\r\nIf SolarWinds is used to manage networking infrastructure, consider conducting a review of network\r\ndevice configurations for unexpected/unauthorized modifications. Note, this is a proactive measure due to\r\nthe scope of SolarWinds functionality, not based on investigative findings.\r\nRecommendations for General Investigation and Hunting\r\nBlock and cross-reference the list of command-and-control endpoints provided in the Indicators of\r\nCompromise resources below with remote access logs to identify unauthorized access.\r\nAttacker IP addresses will likely be in the same country as the target organization.\r\nUse geolocation data to identify instances of “impossible travel,” i.e., if an account logged in from a\r\ndistance after logging in nearby.\r\nUNC2452 has been observed mimicking victim hostnames in their command-and-control infrastructure[2].\r\nQuerying Internet scanning services such as Shodan for internal hostnames may reveal attacker\r\ninfrastructure used against your organization.\r\nCheck for a single system authenticating to multiple systems with multiple accounts.\r\nhttps://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/\r\nPage 2 of 4\n\nThis may be difficult without sufficient visibility into network and host-based activity.\r\nSeveral antivirus and Endpoint Detection and Response (EDR) products have now implemented detections\r\nfor the “SUNBURST” malware. Ensuring that anti-virus and EDR data sources are up to date is critical.\r\nRecommendations for Hardening Active Directory[3]\r\nEnsure that user accounts with administrative rights follow best practices, including the use of privileged\r\naccess workstations, Just-In-Time/Just-Enough-Admin, and strong authentication.\r\nReduce the number of users that are members of highly privileged Directory Roles, like Global\r\nAdministrator, Application Administrator, and Cloud Application Administrator.\r\nMonitor your Active Directory environment for anomalous activity and protect sensitive credentials.\r\nEnsure that service accounts and service principals with administrative rights use high entropy\r\nsecrets, certificates, and are stored securely.\r\nMonitor for changes to secrets used for service accounts and service principals as part of your\r\nsecurity monitoring program.\r\nMonitor for anomalous use of service accounts.\r\nMicrosoft Azure AD indicates session anomalies, as does Microsoft Cloud App Security, if in\r\nuse.\r\nReduce attack surface by removing/disabling unused or unnecessary applications and service principals.\r\nReduce permissions on active applications and service principals, especially applications with\r\nAppOnly permissions.\r\nIndicators of Compromise\r\nRefer to the FireEye GitHub repository for the latest Indicators of Compromise and signatures:\r\nhttps://github.com/fireeye/sunburst_countermeasures\r\nReferences and Suggested Reading\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nhttps://github.com/fireeye/sunburst_countermeasures\r\nhttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations\r\nhttps://www.solarwinds.com/securityadvisory\r\nhttps://support.solarwinds.com/SuccessCenter/s/article/Determine-which-version-of-a-SolarWinds-Orion-product-I-have-installed?language=en_US\r\nhttps://support.solarwinds.com/SuccessCenter/s/article/Verify-hotfixes-that-have-been-installed?\r\nlanguage=en_US\r\nhttps://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/trust-center/resources/secure-configuration-in-the-orion-platform.ashx?\r\nrev=32603e0c87d84085b081f99a33fe5f4d\u0026hash=62A998B9753957D82BC0F07005D38368\r\nhttps://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/\r\nPage 3 of 4\n\n[1]https://www.solarwinds.com/securityadvisory\r\n[2]https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\n[3]https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/\r\nFor a full Incident Response playbook on responding to the Sunburst backdoor, see \"SolarWinds Backdoor\r\n(Sunburst) Incident Response Playbook\" by TrustedSec's Incident Response Team.\r\nSource: https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/\r\nhttps://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/" ], "report_names": [ "solarwinds-orion-and-unc2452-summary-and-recommendations" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/263ea360554779e7cb0e645cbb8bf17a7d045526.pdf", "text": "https://archive.orkl.eu/263ea360554779e7cb0e645cbb8bf17a7d045526.txt", "img": "https://archive.orkl.eu/263ea360554779e7cb0e645cbb8bf17a7d045526.jpg" } }