{ "id": "75ae0cbe-4497-457a-97c3-c632618f53ce", "created_at": "2026-04-06T00:13:25.22491Z", "updated_at": "2026-04-10T03:37:32.686693Z", "deleted_at": null, "sha1_hash": "4f144f8469cff9ebb2e3b38be1f911267e5903f7", "title": "Tracking Sunburst-Related Activity with ThreatConnect Dashboards | ThreatConnect", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 291618, "plain_text": "Tracking Sunburst-Related Activity with ThreatConnect\r\nDashboards | ThreatConnect\r\nBy ThreatConnect\r\nPublished: 2020-12-18 · Archived: 2026-04-05 15:37:17 UTC\r\nRecently FireEye discovered that the SolarWinds Orion IT monitoring platform was compromised earlier this\r\nyear. The threat actor used SolarWinds cryptographic keys to sign multiple backdoored files posing as Orion IT\r\nupdates. These files contained a hidden backdoor that would communicate via HTTP to external servers after\r\nremaining dormant for up to 2 weeks. The malware disguised communications as legitimate data being sent to\r\nSolarWinds.\r\nThe number of organizations affected by this malware is what makes the attack remarkable. SolarWinds estimates\r\napproximately 18,000 customers installed these malicious updates, including private sector organizations, the US\r\nDepartments of Treasury, Commerce and Homeland Security.\r\nAvailable immediately to ThreatConnect users is a Dashboard that provides a single location to view\r\nrelevant intelligence and indicators of compromise (IOCs) from across various sources related to the\r\nSolarWind event. The Dashboard helps consolidate intelligence that would otherwise take a large amount of time\r\nto identify in separate sources. Public Cloud users can now access a SUNBURST-Related Activity Dashboard by\r\nchoosing clicking that link or navigating to ‘Dashboard’ and choosing it from the drop down.\r\nhttps://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards\r\nPage 1 of 3\n\nFor our customers leveraging our dedicated cloud or on-premises deployment options, the ThreatConnect\r\nCustomer Success Team has built out instructions on how to create this dashboard in your own, private instance.\r\nFind a write-up outlining this process and how to create the necessary Dashboard cards in the ThreatConnect\r\nLearning Management System.\r\nIn addition to the Dashboard above, for individuals and organizations looking for proactive alerts to new\r\nintelligence and indicators related to this activity, ThreatConnect provides the Follow capability. Following tags\r\nlike UNC2452, Dark Halo, or SUNBURST can generate an alert in the platform or to your email when that tag is\r\napplied to an indicator or group.\r\nWe hope that this information helps you answer some of the difficult questions around this recent series of attacks.\r\nBeyond just this specific instance, remember that you can modify these queries to create topical dashboards\r\naround whatever your high priority threats might be. TQL is your language for situational awareness.\r\nAbout the Author\r\nThreatConnect\r\nBy operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security\r\noperations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy\r\nand value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the\r\nhttps://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards\r\nPage 2 of 3\n\nThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a\r\nproactive force in protecting the enterprise. Learn more at www.threatconnect.com.\r\nSubscribe\r\nto our Emails\r\nSource: https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards\r\nhttps://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards" ], "report_names": [ "tracking-sunburst-related-activity-with-threatconnect-dashboards" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434405, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f144f8469cff9ebb2e3b38be1f911267e5903f7.pdf", "text": "https://archive.orkl.eu/4f144f8469cff9ebb2e3b38be1f911267e5903f7.txt", "img": "https://archive.orkl.eu/4f144f8469cff9ebb2e3b38be1f911267e5903f7.jpg" } }