# Twenty-three SUNBURST Targets Identified **netresec.com/** Erik Hjelmvik , Monday, 25 January 2021 08:25:00 (UTC/GMT) January 25, 2021 Remember when Igor Kuznetsov and Costin Raiu announced that two of the victims in [FireEye's SUNBURST IOC list were ***net.***.com and central.***.gov on Kaspersky's](https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv) [Securelist blog in December? Reuters later](https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/) [reported that these victims were Cox](https://www.reuters.com/article/usa-cyber/solarwinds-hackers-broke-into-u-s-cable-firm-and-arizona-county-web-records-show-idUSKBN28S2B9) Communications and Pima County. We can now reveal that the internal AD domain of all SUNBURST deployments in FireEye's [IOC list can be extracted from publicly available DNS logs published by twitter user VriesHd,](https://twitter.com/VriesHd/status/1339673992307892224) [a.k.a. "Kira 2.0", with help of our SunburstDomainDecoder tool. The data published by](https://netresec.com/?b=20C0f71) VriesHd is the most complete SUNBURST DNS collection we've seen, with over 35.000 avsvmcloud.com subdomains! Here is FireEye's IOC table completed with our findings: **Leaked** **AD Domain** **Sunburst C2 FQDN** central.pima.gov 6a57jk2ba1d9keg15cbg.appsyncapi.eu-west-1.avsvmcloud.com central.pima.gov 7sbvaemscs0mc925tb99.appsyncapi.us-west-2.avsvmcloud.com central.pima.gov gq1h856599gqh538acqn.appsyncapi.us-west-2.avsvmcloud.com coxnet.cox.com ihvpgv9psvq02ffo77et.appsyncapi.us-east-2.avsvmcloud.com corp.qualys.com k5kcubuassl3alrf7gm3.appsyncapi.eu-west-1.avsvmcloud.com corp.qualys.com mhdosoksaccf9sni9icp.appsyncapi.eu-west-1.avsvmcloud.com **Victims Targeted with SUNBURST Stage 2 Backdoor** **Stage 2** **CNAME** **Timestamp** **(UTC)** freescanonline[.]com 2020-06-13 09:00 deftsecurity[.]com 2020-06-11 22:30 thedoccloud[.]com 2020-06-13 08:30 freescanonline[.]com 2020-06-20 02:30 thedoccloud[.]com 2020-07-22 17:00 thedoccloud[.]com 2020-07-23 18:30 ----- It was not just the victims listed in FireEye s IOC that were specifically targeted by the [SUNBURST operators. As explained in our Finding Targeted SUNBURST Victims with pDNS](https://netresec.com/?b=2113a6a) blog post, the "STAGE2" flag in SUNBURST's DNS beacons can be used to reveal additional organizations that were singled out as interesting targets by the threat actors. We'd like to stress that the majority of all companies and organizations that have installed a backdoored SolarWinds Orion update were never targeted by the threat actors. This means the these SUNBURST backdoors never made it past what we call "Stage 1 operation", [where the backdoor encodes the internal AD domain name and installed security products](https://netresec.com/?b=20C1c3b) into DNS requests. SUNBURST backdoors in Stage 1 operation cannot accept any commands from the C2 server without first progressing into Stage 2 operation. We estimate that about 99.5% of the installed SUNBURST backdoors never progressed into Stage 2 operation. Here is the full list of internal AD domain names from the SUNBURST deployments in VriesHd's DNS data that actually did enter Stage 2 operation according to our analysis: [central.pima.gov (confirmed)](https://www.tucsonsentinel.com/local/report/121820_solarwinds_pima_hacking/solarwinds-govt-hack-hit-pima-county-servers/) [cisco.com (confirmed)](https://www.bloomberg.com/news/articles/2020-12-18/cisco-latest-victim-of-russian-cyber-attack-using-solarwinds) [corp.qualys.com (confirmed)](https://www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/) [coxnet.cox.com (confirmed)](https://www.reuters.com/article/uk-usa-cyber/solarwinds-hackers-broke-into-u-s-cable-firm-and-arizona-county-web-records-show-idUKKBN28S2CT) ddsn.gov fc.gov fox.local [ggsg-us.cisco.com (confirmed)](https://www.bloomberg.com/news/articles/2020-12-18/cisco-latest-victim-of-russian-cyber-attack-using-solarwinds) [HQ.FIDELIS (confirmed)](https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/) jpso.gov lagnr.chevrontexaco.net logitech.local los.local [mgt.srb.europa* (confirmed)](https://www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/?sh=111ff6687f17) ng ds army mil ----- [nsanet.local (not the NSA)](https://www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/) [paloaltonetworks* (confirmed)](https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/) phpds.org [scc.state.va.us (confirmed)](https://www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/) suk.sas.com vgn.viasatgsd.com wctc.msft WincoreWindows.local Our [SUNBURST STAGE2 Victim Table has now been updated with additional details about](https://netresec.com/?b=2113a6a) the STAGE2 signaling from these SUNBURST implants, including timestamps, avsvmcloud.com subdomains and GUID values. **Initial Microsoft Targeting FAIL** The last two entries in the AD domain list above are interesting, since they both hint that the targeted entity might be Microsoft. The data that gets exfiltrated in DNS beacons during SUNBURST's initial stage is the internal domain the SolarWinds Orion PC is connected to and a list of installed security products on that PC. These domain names, security products and possibly also the victims' public IP addresses, was the data available to the attackers when they decided which ones they wanted to proceed to Stage 2 with and thereby activate the HTTPS backdoor built into SUNBURST. The threat actors were probably surprised when they realized that "WincoreWindows.local" was in fact a company in West Virginia that manufactures high quality windows and doors. ----- The threat actors later found another backdoored SolarWinds Orion machine connected to a domain called "wctc.msft", which also sounds like it could be Microsoft. Below is a table outlining relevant events for these two SUNBURST deployments that can be extracted from [VriesHd's SB2 spreadsheet with](https://docs.google.com/spreadsheets/d/1fpyFt0GL2Swxn0Ihw43eu-kM7HlJXni0EvFYqqMRTz8/) [SunburstDomainDecoder.](https://netresec.com/?b=20C0f71) **Target ID** **Beaconed Data** **Date** A887B592B7E5B550 AD domain part 1: "WincoreW" A887B592B7E5B550 AD domain part 2: "indows.local" A887B592B7E5B550 AV Products: [none] 202005-22 🤔 _Threat actor decision: Target victim_ _A887B592B7E5B550_ A887B592B7E5B550 STAGE2 request for new C2 server in CNAME 🤔 _Threat actor decision: These aren't the_ _droids we're looking for_ 59956D687A42F160 AD domain: "wctc.msft" 202005-26 ----- 59956D687A42F160 AV Products: [none] 202006-20 59956D687A42F160 Ping 202006-21 59956D687A42F160 Ping 202006-22 🤔 _Threat actor decision: Target victim_ _59956D687A42F160_ 59956D687A42F160 STAGE2 request for new C2 server in CNAME 202006-23 [Microsoft have been public about being hit by SUNBURST (or "Solorigate" as they call it), so](https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/) we can assume that the threat actors eventually located a backdoored SolarWinds Orion installation in their networks. **Victim Notification** We spent the previous week reaching out to targeted companies and organizations, either directly or through CERT organizations. From what we understand many of these organizations were already aware that they had been targeted victims of SUNBURST, even though they might not have gone public about the breach. **The Ethical Dilemma** We have no intentions to shame the organizations that have installed a backdoored SolarWinds Orion update, regardless if they were targeted by the threat actor or not. In fact, the supply chain security problem is an extremely difficult one to tackle, even for companies and organizations with very high security standards. This could have happened to anyone! However, since multiple passive DNS logs and SUNBURST victim lists have been circulating through publicly available channels for over a month, we felt that it was now acceptable to publicly write about the analysis we've been doing based on all this data. We'd also like to thank everyone who has helped collect and share passive DNS data, including John Bambenek, [Joe Słowik,](https://twitter.com/jfslowik/status/1338321984527228928) [Rohit Bansal,](https://pastebin.com/6EDgCKxd) [Dancho Danchev,](https://ddanchev.blogspot.com/2020/12/exposing-solarwinds-malware-campaign.html) [Paul Vixie and](https://twitter.com/paulvixie/status/1346557582559694848) [VriesHd. This open](https://twitter.com/VriesHd/status/1339673992307892224) [data has been crucial in order to develop and verify our SunburstDomainDecoder tool, which](https://netresec.com/?b=20C0f71) has been leveraged by numerous incident response teams to perform forensic analysis of DNS traffic from their SolarWinds Orion deployments. **More Credits** [We'd like to thank CERT-SE and all other computer emergency response organizations that](https://cert.se/) have helped us with the task of notifying organizations that were identified as targeted. We [would also like to applaud companies and organizations like FireEye Palo Alto Networks](https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html) ----- [Fidelis Cybersecurity,](https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/) [Microsoft, the](https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/) [U.S. Department of Energy and the](https://www.energy.gov/articles/doe-update-cyber-incident-related-solar-winds-compromise) [U.S. Federal Courts](https://www.uscourts.gov/news/2021/01/06/judiciary-addresses-cybersecurity-breach-extra-safeguards-protect-sensitive-court) for being transparent and publicly announcing that the SUNBURST backdoor had been used in an attempt to compromise their networks. Posted by Erik Hjelmvik on Monday, 25 January 2021 08:25:00 (UTC/GMT) [Tags: #SUNBURST #FireEye #Solorigate #Microsoft #SolarWinds #FireEye #CNAME](https://netresec.com/?page=Blog&tag=SUNBURST) [#STAGE2 #DNS #Passive DNS #avsvmcloud.com #pDNS #Microsoft](https://netresec.com/?page=Blog&tag=STAGE2) ## Recent Posts » [Real-time PCAP-over-IP in Wireshark](https://netresec.com/?page=Blog&month=2022-05&post=Real-time-PCAP-over-IP-in-Wireshark) » [Emotet C2 and Spam Traffic Video](https://netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video) » [Industroyer2 IEC-104 Analysis](https://netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis) » [NetworkMiner 2.7.3 Released](https://netresec.com/?page=Blog&month=2022-04&post=NetworkMiner-2-7-3-Released) » [PolarProxy in Windows Sandbox](https://netresec.com/?page=Blog&month=2022-01&post=PolarProxy-in-Windows-Sandbox) » [PolarProxy 0.9 Released](https://netresec.com/?page=Blog&month=2022-01&post=PolarProxy-0-9-Released) ## Blog Archive » [2022 Blog Posts](https://netresec.com/?page=Blog&year=2022) » [2021 Blog Posts](https://netresec.com/?page=Blog&year=2021) » [2020 Blog Posts](https://netresec.com/?page=Blog&year=2020) » [2019 Blog Posts](https://netresec.com/?page=Blog&year=2019) » [2018 Blog Posts](https://netresec.com/?page=Blog&year=2018) » [2017 Blog Posts](https://netresec.com/?page=Blog&year=2017) » [2016 Blog Posts](https://netresec.com/?page=Blog&year=2016) » [2015 Blog Posts](https://netresec.com/?page=Blog&year=2015) » [2014 Blog Posts](https://netresec.com/?page=Blog&year=2014) » [2013 Blog Posts](https://netresec.com/?page=Blog&year=2013) » [2012 Blog Posts](https://netresec.com/?page=Blog&year=2012) » [2011 Blog Posts](https://netresec.com/?page=Blog&year=2011) ----- [List all blog posts](https://netresec.com/?page=Blog&blogPostList=true) ## NETRESEC on Twitter Follow [@netresec on twitter:](http://twitter.com/netresec) » [twitter.com/netresec](http://twitter.com/netresec) -----