{ "id": "9f08a2b8-55fc-40b1-9d39-ac08132c5846", "created_at": "2026-04-06T00:09:16.588917Z", "updated_at": "2026-04-10T03:37:32.908892Z", "deleted_at": null, "sha1_hash": "3a51961caa871423e2879abd85a4b2553712648f", "title": "Analysis of the SolarWinds Supply Chain Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113186, "plain_text": "Analysis of the SolarWinds Supply Chain Attack\r\nBy Tony Cook\r\nPublished: 2020-12-22 · Archived: 2026-04-02 11:12:30 UTC\r\nLatest Update 1/8/21 at 4pm ET\r\nThe intent of this analysis is to aggregate the wide distribution of information being shared, provide\r\ninsights, and recommendations. As we continue to learn more about the recent SolarWinds attack, the\r\nGuidePoint team continues to gather and distill the information for consumption. Currently our team is tracking\r\nthe group as defined by FireEye as UNC2452 which is linked to the actor being tracked by the Volexity team as\r\nDark Halo. \r\nOngoing Analysis of the SolarWinds Breach\r\nUpdate: 1/8/21 at 4pm ET\r\nContinuing our updates to the ever evolving SolarWinds whirlwind, CISA released updated guidance and  Alert\r\n(AA20-352A)  for Federal Agencies affected by the Orion Platform breach. This guidance confirms that an NSA\r\nstatic code review was conducted on the SolarWinds Orion Platform version 2020.2.1 HF2 update to ensure that\r\nboth the vulnerabilities and the previously included malicious code had been remediated. CISA further\r\nrecommends that agencies who have not seen the follow-on malicious activity to either rebuild their SolarWinds\r\nOrion server(s) to the current version or to simply update their existing SolarWinds Orion instance in accordance\r\nwith their Hardening guidance. Agencies who have seen follow-on activity should keep their SolarWinds Orion\r\ninfrastructure disconnected from their network while conducting an investigation. \r\nThe updated alert includes new information on initial access vectors, updated mitigation recommendations, and\r\nnew indicators of compromise (IOCs). An important takeaway from the CISA alert is that during the course of\r\nseveral recent investigations sharing commonalities in adversarial behavior, SolarWinds was not the only intrusion\r\nvector observed. This highlights the importance of continuing to monitor and hunt for intrusion vectors not related\r\nto SolarWinds vulnerabilities – many clients may have a false sense of security if they do not have SolarWinds in\r\ntheir environment. The other forms of initial access detailed in the updated alert include password guessing,\r\npassword spraying, and exploiting external remote access services with inappropriately secured administrative\r\ncredentials. As more details continue to develop, we expect the list of initial intrusion vectors to continue to grow. \r\nAnother point CISA brings up in their Alert is the concept of Operational Security during the Incident Response\r\nprocess, especially when planning and implementing remediation steps. Ensuring that your incident response plan\r\nincludes out of band communication methods can be the difference between a successful remediation or the\r\nadversary keeping a foothold in your environment.\r\nAdditionally, the SolarWinds Orion 0-day vulnerability which allowed for the Supernova Webshell to be installed\r\nis being tracked as CVE-2020-10148 (Thanks for the confirmation from Nick Carr @ItsReallyNick). This\r\nvulnerability could enable an attacker to bypass authentication and allow for API command execution, which may\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 1 of 12\n\nlead to a compromise of the Orion application. While Supernova is being attributed to a different threat actor than\r\nwas observed with Sunburst, this is still a potentially high impact vulnerability and we recommend implementing\r\nproactive hunting and detection measures to determine if your SolarWinds instance has been affected. \r\nUpdate: 12/23/20 at 9am ET\r\nThe Volexity team discovered three incidents attributed to the same actor (Dark Halo) starting in late 2019\r\ntargeting an unnamed think tank. In the initial attack, the actor utilized a Microsoft Exchange vulnerability that\r\nallowed them to bypass multi-factor authentication (MFA) used to secure email access. Once in the environment,\r\nthe actor utilized living-off-the-land binaries (LOL-BAS) in weekly operations with the intent of extracting emails\r\nfrom targeted individuals. Upon identification of the threat actor’s activities, the actor was successfully removed\r\nfrom the network as a result of response efforts. \r\nHowever, a short time after the remediation, the actor once again infiltrated the environment using a remote code\r\nexecution vulnerability (CVE-2020-0688) targeting an on-premise Microsoft Exchange server. Utilization of this\r\nexploit allowed the threat actor further access to the environment, at which time they were able to use a “novel\r\ntechnique” to exploit the normal Duo MFA execution flow. Using this technique, the actor compromised the Duo\r\nintegration secret key from the present OWA instance. This allowed the threat actors to pre-compute the security\r\nidentifier for authentication and authorization. It’s important to note that this was not a vulnerability in the Duo\r\nsoftware itself. By simply having the privileges required to garner the key the actor was able to calculate the value\r\nof the required cookie for authentication. The actors were discovered once again and eradicated from the network.\r\nIn the third and final attack dating back to July 2020, the actors were seen utilizing the compromised SolarWinds\r\nDLL to gain access to the targeted environment. Once inside the network, the actors operated using similar tactics\r\nobserved in previous intrusions. One noted objective for the actor in each of these intrusions was access to the\r\nExchange environment. \r\nRecent information on the SolarWinds DLL, tracked as SUNBURST (FireEye) and Solorigate (Microsoft), has\r\nshown that the actors behind the compromise may have had access to the Orion codebase as far back as October\r\n10th, 2019. It’s been determined that SolarWinds Orion 2019.4 HF 5 through 2020.2.1 were affected with the\r\nfollowing hotfixes released to fix the issues:\r\n2020.2.1 HF 1\r\n2020.2.1 HF 2\r\nAdditional analysis by various teams has determined that SUPERNOVA webshell discovered during initial\r\nanalysis by FireEye may not be related to UNC2452/Dark Halo. Researchers have concluded that due to the\r\nunsigned nature of the binary that it is likely not as sophisticated as the Sunburst/Solorigate attack and potentially\r\na second actor. Further research is being conducted to determine the attribution of the webshell.   \r\nInitial Analysis of the SolarWinds Breach\r\nPosted on 12/14/20\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 2 of 12\n\nRecent disclosure and documentation by FireEye, beginning on 14 December, reported that FireEye was the\r\nvictim of a highly sophisticated, state-sponsored attack. As more and more details are released about the attack, it\r\nhas been confirmed this was part of a much larger campaign affecting numerous organizations and government\r\nagencies globally. This attack, which may have started as early as March 2020, was executed through the use of a\r\nsupply chain compromise originating out of the SolarWinds Orion product. While full details around the\r\ncompromise of the SolarWinds product are not currently known, we do know that a legitimate DLL used to\r\nsupport the product was modified to allow the actors remote access into SolarWinds customer environments. This\r\naccess could allow for actors to deliver second-stage payloads, move laterally, and ultimately achieve their attack\r\nobjectives.  \r\nWhat has been reported thus far is that actors compromised a version of SolarWinds Orion, which was deployed to\r\nSolarWinds Clients through legitimate software updates. Once successfully deployed, the actors achieved initial\r\naccess to the environment, which was then followed by attempts to achieve persistent access through\r\ncompromising privileged accounts or by forging SAML tokens to allow for specific level of access. The primary\r\ngoal for the actors appears to be establishing a legitimate and persistent access mechanism into the environment\r\nthat can be used as the primary method of ingress.  After they have established this access method, the actor\r\nsubsequently utilizes known tools such as Cobalt Strike’s BEACON module to move laterally and perform\r\nenvironment-specific actions-on-objective, as well as ensure they have foothold access into Exchange email\r\nenvironments.\r\nIt is important to note that while this particular attack focuses on SolarWinds as the initial access point through a\r\nsupply chain vector, this could easily be applied to other products or services being widely used in customer\r\nenvironments. This solidifies and reiterates the need to fully understand your network and follow best-practices\r\nfor hygiene, proactive defense measures, threat hunting, and response.  Also, we highly recommended threat\r\nmodeling similar attack scenarios, followed by threat hunts to determine the likelihood an organization has been\r\naffected.  \r\nTactical Information \u0026 Recommendations\r\nIn order to provide customers with a solid strategy to identify and respond to this attack, as well as to ensure\r\nprotection against similar types of attacks, GuidePoint Security’s DFIR team has developed the following tactical\r\ninformation and recommendations based on details collected from FireEye, Microsoft and SolarWinds reports. \r\nThe following information can be used agnostic of any specific toolset while vendors continue to develop\r\nproduct-specific detection capabilities. \r\nBelow are the high-level steps that GuidePoint recommends for anyone using SolarWinds Orion, along with\r\nsupporting technical details.\r\nIsolate\r\nEnsure that the SolarWinds Orion appliance is isolated from the network until a patch can be deployed. If\r\nany evidence of compromise is found it should be further isolated from the internal network.\r\nPatch / Stay Up to Date\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 3 of 12\n\nSolarWinds: Organizations leveraging SolarWinds Orion Platform v2020.2 without a hotfix or 2020.2 HF\r\n1 should upgrade ASAP to Orion Platform version 2020.2.1 HF 2 as soon as possible. For more\r\ninformation on SolarWinds’ guidance, go to https://www.solarwinds.com/securityadvisory.  \r\nSecurity Products: As security vendors release additional content related to this attack, it is important to\r\nremain up to date and vigilant on what the content detects/protects.  \r\nHunt / Validate\r\nMultiple Indicators of Compromise (IOCs) have been released thus far in the investigation. Confirm not\r\nonly whether you were vulnerable, but also leverage the indicators provided here, as well as those\r\ndistributed by the various vendors, to validate that you haven’t been further impacted. GuidePoint\r\nrecommends that organizations perform threat hunting activities in order to identify if any IOCs are present\r\nin their environment. \r\nBehavioral Indicators\r\nThe primary communication mechanisms reported are HTTP with domain name fields matching the domains\r\nlisted in the FireEye IOCs, and HTTP communications containing XML responses containing control codes\r\nembedded in various locations in the XML tree.  \r\nSUNBURST SolarWinds Orion Backdoor\r\nThe SUNBURST malware communicates over an HTTP C2 channel with callouts delayed by a configurable\r\ntimeframe.  The default value for this delay is one minute between callouts.  This communication channel uses a\r\nseparate set of HTTP methods for requesting data from and sending data to the C2 server.  The HTTP GET or\r\nHEAD methods are used when the malware is requesting data from the C2 server, and the HTTP PUT or POST\r\nmethods are used when the malware needs to send data to the C2 server. The malware will use the PUT method to\r\nsend data when the payload (HTTP body length) is less than 10,000 bytes. Any payloads larger than 10,000 bytes\r\nwill use the POST method.  The payload format being sent to the C2 server for both the PUT and POST requests\r\nis JSON containing the following schema:\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 4 of 12\n\nEach HTTP Request contains the ‘If-None-Match’ HTTP header, with a XOR encoded value.  Methods of hunting\r\nfor this activity are as follows:\r\nOutbound HTTP PUT Requests with Content-Length \u003c 10000 and ‘If-None-Match’ HTTP Header\r\nOutbound HTTP POST Requests with Content-Length \u003e 10000 and ‘If-None-Match’ HTTP Header\r\nOutbound HTTP PUT or POST Requests with HTTP Request Content-Type Header value of\r\n‘application/json’\r\nAnalysis conducted by FireEye and Microsoft determined that the SUNBURST backdoor used DNS resolutions of\r\navsvmcloud[.]com as a built in killswitch depending on the IP address returned during the DNS query. FireEye\r\nand Microsoft worked together with GoDaddy to take over the malicious domain and modify the IP address\r\nreturned during DNS resolution to mitigate the effectiveness of the SUNBURST backdoor.\r\nTEARDROP Dropper\r\nDuring FireEye’s analysis of the SolarWinds Supply Chain Compromise, they discovered a previously unobserved\r\ndropper that they have dubbed TEARDROP. This dropper has been found to run as a service and is responsible for\r\nloading additional executable code into memory with no on-disk presence. Based on details from FireEye, it\r\nappears that the TEARDROP dropper is associated with the file “C:\\Windows\\SYSWOW64\\netsetupsvc.dll.”\r\nAdditionally, FireEye observed TEARDROP’s loading process which reads from the file “gracious_truth.jpg,”\r\nwhich contains the obfuscated payload, uses a fake JPG file header, and uses a rolling XOR algorithm to decode\r\nthe payload before executing it in memory. According to FireEye’s analysis of TEARDROP, this dropper could\r\nload any executable code into memory for execution, but was likely used to execute a customized Cobalt Strike\r\nBEACON.\r\nFireEye created YARA signatures that can be used to detect TEARDROP on impacted systems which can be\r\nfound here.\r\nSUPERNOVA .NET SolarWinds Service Webshell\r\nGuidePoint recently released a blog regarding the SUPERNOVA .NET webshell backdoor masquerading as a\r\nlegitimate SolarWinds web service handler.  This .NET module inspects inbound HTTP requests and responds to\r\nHTTP requests sent with specific query strings, cookies, or HTML form values.  The .NET webshell is located\r\nunder the filename ‘app_web_logoimagehandler.ashx.\u003c8 alphanumeric chars\u003e.dll’. The request will also contain\r\nvalues for the following parameters that are used to compile anonymous code for execution by the webshell:\r\ncodes: This parameter stores compiler codes to be passed to the webshell during compilation\r\nclazz: The C# Class name to compile as module for execution by the webshell\r\nmethod: The C# Class Method to be called within the C# Class listed by the ‘clazz’ parameter\r\nargs: Newline-delimited list of arguments to pass as parameters to the C# Method listed by the ‘method’\r\nparameter\r\nThe result of the memory execution of this compiled code will be written directly to the HTTP Response body,\r\nand the HTTP Response Content-Type Header will have the value of ‘text/plain’. Methods to identify this activity\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 5 of 12\n\nare as follows:\r\nInbound HTTP GET Requests with: \r\nURI file ending with logoimagehandler.ashx AND\r\nHTTP body parameters of ‘codes’, ‘clazz’, ‘method’, or ‘args’ AND\r\nHTTP Response Status Code of 200, AND\r\nHTTP Response Content-Type Header Value of text/plain\r\nInbound HTTP POST Requests with:\r\nURI file ending with logoimagehandler.ashx AND\r\nHTTP Response Status Code of 200, AND/OR\r\nHTTP Response Content-Type Header Value of text/plain \r\nCobalt Strike BEACON\r\nOne method of lateral movement was reported as remote scheduled tasks implementing Cobalt Strike BEACON\r\nvia %COMSPEC% or PowerShell encoded command executions. For each Cobalt Strike BEACON Scheduled\r\nTask, there would be a network communication occurring commensurate with the execution of the Scheduled\r\nTask.  One method of identifying this activity is to review Scheduled Task execution in the environment,\r\nspecifically Task Names and their associated binary/command executions.  Since these actors have been reported\r\nto execute the malicious Task in-between a remove-and-restore cycle of a legitimate Schedule Task, analysts will\r\nwant to review:\r\nAny Scheduled Task modifications conducted in rapid succession\r\nMultiple Scheduled Task executions of the same Task Name with differing binaries/command executions\r\non the same host\r\nScheduled Task executions in which there is a network connection outbound to TCP/443 by the Task\r\nbinary\r\nScheduled Task executions with a Command Line value containing ‘%COMSPEC%’, ‘cmd’, or\r\n‘powershell’, or with cmd.exe or powershell.exe executions associated with the Scheduled Task execution\r\nAdditional behavioral indications of usage of modules present within Cobalt Strike BEACON and reported lateral\r\nmovement are as follows:\r\nWindows Service (Event ID 7045) or Scheduled Task (EventID 4698, 4700) creations with 7-character\r\npseudo-random alphanumeric character Service or Task Names\r\nWindows Services (Event ID 7045) or Scheduled Tasks (EventID 4698, 4700) with Service Filename or\r\nCommand containing UNC ADMIN$ share path references, beginning with either the loopback IP address\r\nor RFC1918 localhost IP address (ex: ‘\\\\127.0.0.1\\ADMIN$\\\u003c7-character\u003e.exe’)\r\nPowerShell (Event ID 400) with the following values:\r\nHostName: ConsoleHost\r\nHostApplication contains ‘rundll32.exe’\r\nHostVersion and EngineVersion with different version numbers\r\nEx: HostVersion:1.0 and EngineVersion: 5.1.17763.1\r\nPowerShell (Event ID 400) with Base64 encoded value in HostApplication field\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 6 of 12\n\nRecent changes in NTFS FileName Creation Time for Scheduled Task or at job files located in\r\nC:\\Windows\\System32\\Tasks or C:\\Windows\\Tasks.  Each Scheduled Task and at job should be reviewed\r\nfor any outlying recent NTFS Creation timestamps or unauthorized commands.\r\nAtomic Indicators \r\nDomains\r\nDomain Association\r\naysymcloud[.]com SUNBURST\r\ndatabasegalore[.]com SUNBURST/BEACON\r\ndeftsecurity[.]com SUNBURST\r\ndigitalcollege[.]org SUNBURST\r\nervsystem[.]com TEARDROP\r\nfreescanonline[.]com SUNBURST\r\nglobalnetworkissues[.]com SUNBURST\r\nhighdatabase[.]com SUNBURST\r\nincomeupdate[.]org BEACON\r\ninfinitysoftwares[.]com TEARDROP\r\nkubecloud[.]com BEACON\r\nlcomputers[.]com BEACON\r\nmobilnweb[.]com Unknown Association\r\npanhardware[.]com SUNBURST/BEACON\r\nseobundlekit[.]com SUNBURST\r\nsolartrackingsystem[.]net BEACON\r\nthedoccloud[.]com SUNBURST\r\nvirtualdataserver[.]com SUNBURST\r\nvirtualwebdata[.]com SUNBURST\r\nwebcodez[.]com BEACON\r\nwebsitetheme[.]com SUNBURST\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 7 of 12\n\nzupertech[.]com SUNBURST/BEACON\r\nIP Addresses\r\nIP Address Association\r\n162.223.31[.]184 BEACON\r\n173.237.190[.]2 BEACON\r\n3.87.182[.]149 BEACON\r\n34.219.234[.]134 BEACON\r\n45.141.152[.]18 BEACON\r\n13.57.184[.]217 SUNBURST\r\n13.59.205[.]66 SUNBURST\r\n139.99.115[.]204 SUNBURST\r\n18.220.219[.]143 SUNBURST\r\n18.253.52[.]187 SUNBURST\r\n204.188.205[.]176 SUNBURST\r\n3.16.81[.]254 SUNBURST\r\n34.203.203[.]23 SUNBURST\r\n5.252.177[.]21 SUNBURST\r\n5.252.177[.]25 SUNBURST\r\n51.89.125[.]18 SUNBURST\r\n54.193.127[.]66 SUNBURST\r\n54.215.192[.]52 SUNBURST\r\n107.152.35[.]77 SUNBURST\r\n167.114.213[.]199 Unknown Association\r\n18.217.225[.]111 Unknown Association\r\n184.72.1[.]3 Unknown Association\r\n184.72.101[.]22 Unknown Association\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 8 of 12\n\n184.72.113[.]55 Unknown Association\r\n184.72.145[.]34 Unknown Association\r\n184.72.209[.]33 Unknown Association\r\n184.72.21[.]54 Unknown Association\r\n184.72.212[.]52 Unknown Association\r\n184.72.224[.]3 Unknown Association\r\n184.72.229[.]1 Unknown Association\r\n184.72.240[.]3 Unknown Association\r\n184.72.245[.]1 Unknown Association\r\n184.72.48[.]22 Unknown Association\r\n196.203.11[.]89 Unknown Association\r\n198.12.75[.]112 Unknown Association\r\n20.141.48[.]154 Unknown Association\r\n8.18.144[.]11 Unknown Association\r\n8.18.144[.]12 Unknown Association\r\n8.18.144[.]130 Unknown Association\r\n8.18.144[.]135 Unknown Association\r\n8.18.144[.]136 Unknown Association\r\n8.18.144[.]149 Unknown Association\r\n8.18.144[.]156 Unknown Association\r\nFile Hashes: SUNBURST\r\nMicrosoft published a list of nineteen malicious SolarWinds.Orion.Core.BusinessLayer.dll DLL files spotted in\r\nthe wild. We have listed them below with the file version and date first seen.\r\nSHA256 File Version Date First Seen\r\ne0b9eda35f01c1540134ab 2020.2.100.11713\r\nFebruary 2020\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 9 of 12\n\na9195e7e6393286dde3e0\r\n01fce36fb661cc346b91d\r\na58d02465e26bdd3a839fd\r\n90e4b317eece431d28cab2\r\n03bbdde569e11247d9e2\r\n2020.2.100.11784 March 2020\r\n32519b85c0b422e4656de6\r\ne6c41878e95fd95026267d\r\naab4215ee59c107d6c77\r\n2019.4.5200.9083 March 2020\r\ndab758bf98d9b36fa057a66\r\ncd0284737abf89857b73ca8\r\n9280267ee7caf62f3b\r\n2020.2.100.12219 March 2020\r\neb6fab5a2964c5817fb239a\r\n7a5079cabca0a00464fb3e0\r\n7155f28b0a57a2c0ed\r\n2020.2.100.11831 March 2020\r\nc09040d35630d75dfef0f80\r\n4f320f8b3d16a481071076\r\n918e9b236a321c1ea77\r\nN/A March 2020\r\nffdbdd460420972fd2926a7\r\nf460c198523480bc6279dd\r\n6cca177230db18748e8\r\n2019.4.5200.9065 March 2020\r\nb8a05cc492f70ffa4adcd446\r\nb693d5aa2b71dc4fa2bf502\r\n2bf60d7b13884f666\r\n2019.4.5200.9068 March 2020\r\n20e35055113dac104d2bb0\r\n2d4e7e33413fae0e5a426e\r\n0eea0dfd2c1dce692fd9\r\n2019.4.5200.9078 March 2020\r\n0f5d7e6dfdd62c83eb096ba\r\n193b5ae394001bac036745\r\n495674156ead6557589\r\n2019.4.5200.9078 March 2020\r\ncc082d21b9e880ceb6c96d\r\nb1c48a0375aaf06a5f444cb\r\n0144b70e01dc69048e6\r\n2019.4.5200.9083 March 2020\r\nac1b2b89e60707a20e9eb1\r\nca480bc3410ead40643b38\r\n6d624c5d21b47c02917c\r\n2020.4.100.478 April 2020\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 10 of 12\n\n019085a76ba7126fff22770\r\nd71bd901c325fc68ac55aa7\r\n43327984e89f4b0134\r\n2020.2.5200.12394 April 2020\r\nce77d116a074dab7a22a0fd\r\n4f2c1ab475f16eec42e1ded3\r\nc0b0aa8211fe858d6\r\n2020.2.5300.12432 May 2020\r\n2b3445e42d64c85a5475bdb\r\nc88a50ba8c013febb53ea971\r\n19a11604b7595e53d\r\n2019.4.5200.9078 May 2020\r\n92bd1c3d2a11fc4aba2735d9\r\n547bd0261560fb20f36a0e7c\r\na2f2d451f1b62690\r\n2020.4.100.751  May 2020\r\na3efbc07068606ba1c19a7ef\r\n21f4de15d15b41ef680832d7\r\nbcba485143668f2d\r\n N/A N/A\r\na25cadd48d70f6ea0c4a241d\r\n99c5241269e6faccb4054e62\r\nd16784640f8e53bc\r\n2019.4.5200.8890 October 2019\r\nd3c6785e18fba3749fb785bc3\r\n13cf8346182f532c59172b69\r\nadfb31b96a5d0af\r\n2019.4.5200.8890 October 2019\r\nFile Hashes: SUPERNOVA and TEARDROP\r\nSHA256 Hash Association\r\nc15abaf51e78ca56c0376522d699c97821\r\n7bf041a3bd3c71d09193efa5717c71\r\nSUPERNOVA\r\n118189f90da3788362fe85eafa55529842\r\n3e21ec37f147f3bf88c61d4cd46c51\r\nTEARDROP\r\n1817a5bf9c01035bcf8a975c9f1d94b0ce7\r\nf6a200339485d8f93859f8f6d730c\r\nTEARDROP\r\nResources\r\nWhile we’ve collected some general guidance and recommendations regarding this threat, our partnering solution\r\nproviders should be developing specific content unique to their technologies as more information is becoming\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 11 of 12\n\navailable.  Further details on the attack and recommendations can also be found in the following posts by\r\nMicrosoft, SolarWinds \u0026 FireEye who are currently working to overcome these attacks.  \r\nhttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/ \r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-actor-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nhttps://github.com/fireeye/sunburst_countermeasures\r\nhttps://www.solarwinds.com/securityadvisory\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nhttps://community.riskiq.com/article/c98949a2\r\nhttps://www.bleepingcomputer.com/news/security/us-govt-fireeye-breached-after-solarwinds-supply-chain-attack/\r\nhttps://www.bleepingcomputer.com/news/security/new-supernova-backdoor-found-in-solarwinds-cyberattack-analysis/\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-breach-in-solarwinds-hack-denies-infecting-others/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-identifies-40-plus-victims-of-solarwinds-hack-80-percent-from-us/\r\nhttps://www.bleepingcomputer.com/news/security/us-think-tank-breached-three-times-in-a-row-by-solarwinds-hackers/\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nhttps://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/\r\nhttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/\r\nhttps://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ \r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html \r\nSource: https://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nhttps://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/" ], "report_names": [ "analysis-of-the-solarwinds-supply-chain-attack" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434156, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a51961caa871423e2879abd85a4b2553712648f.pdf", "text": "https://archive.orkl.eu/3a51961caa871423e2879abd85a4b2553712648f.txt", "img": "https://archive.orkl.eu/3a51961caa871423e2879abd85a4b2553712648f.jpg" } }