{ "id": "596dc486-ed6a-470f-903b-7353eaa0ed4f", "created_at": "2026-04-06T00:07:03.715268Z", "updated_at": "2026-04-10T13:12:02.187102Z", "deleted_at": null, "sha1_hash": "55c6113e8a746a921be43928353b9ce4fe4ad924", "title": "SolarWinds Supply Chain Attack Uses SUNBURST Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 670616, "plain_text": "SolarWinds Supply Chain Attack Uses SUNBURST Backdoor\r\nBy Mandiant\r\nPublished: 2020-12-13 · Archived: 2026-04-05 14:38:12 UTC\r\nUPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now\r\nattributed to APT29.\r\nExecutive Summary\r\nWe have discovered a global intrusion campaign. We are tracking the actors behind this campaign as\r\nUNC2452.\r\nFireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to\r\ndistribute malware we call SUNBURST.\r\nThe attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their\r\nactivity, but these efforts also offer some opportunities for detection.\r\nThe campaign is widespread, affecting public and private organizations around the world.\r\nFireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found\r\non our public GitHub page. FireEye products and services can help customers detect and block this attack.\r\nSummary\r\nFireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign\r\ngained access to numerous public and private organizations around the world. They gained access to victims via\r\ntrojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun\r\nas early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise\r\nhas included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation\r\nwas conducted with significant operational security.\r\nSUNBURST Backdoor\r\nSolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software\r\nframework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the\r\ntrojanized version of this SolarWinds Orion plug-in as SUNBURST.\r\nAfter an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include\r\nthe ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The\r\nmalware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores\r\nreconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds\r\nactivity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as\r\nprocesses, services, and drivers.\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 1 of 12\n\nFigure 1: SolarWinds digital signature on software with backdoor\r\nMultiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates\r\nwebsite, including:\r\nhxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\nThe trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated\r\nwith the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is\r\ninstalled, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or\r\nSolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 2 of 12\n\nweeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a\r\nCNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is\r\ndesigned to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available\r\non FireEye’s GitHub page.\r\nWorldwide Victims Across Multiple Verticals\r\nFireEye has detected this activity at multiple entities worldwide. The victims have included government, consulting,\r\ntechnology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there\r\nare additional victims in other countries and verticals. FireEye has notified all entities we are aware of being\r\naffected.\r\nPost Compromise Activity and Detection Opportunities\r\nWe are currently tracking the software supply chain compromise and related post intrusion activity as UNC2452.\r\nAfter gaining initial access, this group uses a variety of techniques to disguise their operations while they move\r\nlaterally (Figure 2). This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials\r\nand remote access for access into a victim’s environment.\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 3 of 12\n\nFigure 2: Post-compromise tactics\r\nThis section will detail the notable techniques and outline potential opportunities for detection.\r\nTEARDROP and BEACON Malware Used\r\nMultiple SUNBURST samples have been recovered, delivering different payloads. In at least one instance the\r\nattackers deployed a previously unseen memory-only dropper we’ve dubbed TEARDROP to deploy Cobalt Strike\r\nBEACON.\r\nTEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file\r\n“gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF\r\nexists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 4 of 12\n\nembedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously\r\nseen malware. We believe that this was used to execute a customized Cobalt Strike BEACON.\r\nMitigation: FireEye has provided two Yara rules to detect TEARDROP available on our GitHub. Defenders should\r\nlook for the following alerts from FireEye HX: MalwareGuard and WindowsDefender:\r\nProcess Information\r\nfile_operation_closed\r\nfile-path*: “c:\\\\windows\\\\syswow64\\\\netsetupsvc.dll\r\nactor-process:\r\npid: 17900\r\nWindow’s defender Exploit Guard log entries: (Microsoft-Windows-Security-Mitigations/KernelMode event ID 12)\r\nProcess”\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe” (PID XXXXX) would have been blocked from\r\nloading the non-Microsoft-signed binary\r\n‘\\Windows\\SysWOW64\\NetSetupSvc.dll’\r\nAttacker Hostnames Match Victim Environment\r\nThe actor sets the hostnames on their command and control infrastructure to match a legitimate hostname found\r\nwithin the victim’s environment. This allows the adversary to blend into the environment, avoid suspicion, and evade\r\ndetection.\r\nDetection Opportunity\r\nThe attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. This presents a detection opportunity for defenders -- querying internet-wide scan data sources for an\r\norganization’s hostnames can uncover malicious IP addresses that may be masquerading as the organization. (Note:\r\nIP Scan history often shows IPs switching between default (WIN-*) hostnames and victim’s hostnames) Cross-referencing the list of IPs identified in internet scan data with remote access logs may identify evidence of this actor\r\nin an environment. There is likely to be a single account per IP address.\r\nIP Addresses located in Victim’s Country\r\nThe attacker’s choice of IP addresses was also optimized to evade detection. The attacker primarily used only IP\r\naddresses originating from the same country as the victim, leveraging Virtual Private Servers.\r\nDetection Opportunity\r\nThis also presents some detection opportunities, as geolocating IP addresses used for remote access may show an\r\nimpossible rate of travel if a compromised account is being used by the legitimate user and the attacker from\r\ndisparate IP addresses. The attacker used multiple IP addresses per VPS provider, so once a malicious login from an\r\nunusual ASN is identified, looking at all logins from that ASN can help detect additional malicious activity. This can\r\nbe done alongside baselining and normalization of ASN’s used for legitimate remote access to help identify\r\nsuspicious activity.\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 5 of 12\n\nLateral Movement Using Different Credentials\r\nOnce the attacker gained access to the network with compromised credentials, they moved laterally using multiple\r\ndifferent credentials. The credentials used for lateral movement were always different from those used for remote\r\naccess.\r\nDetection Opportunity\r\nOrganizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. This will uncover any single system authenticating to\r\nmultiple systems with multiple accounts, a relatively uncommon occurrence during normal business operations.\r\nTemporary File Replacement and Temporary Task Modification\r\nThe attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate\r\nutility with theirs, executed their payload, and then restored the legitimate original file. They similarly manipulated\r\nscheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to\r\nits original configuration. They routinely removed their tools, including removing backdoors once legitimate remote\r\naccess was achieved.\r\nDetection Opportunity\r\nDefenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time. Additionally, defenders can monitor existing scheduled tasks\r\nfor temporary updates, using frequency analysis to identify anomalous modification of tasks. Tasks can also be\r\nmonitored to watch for legitimate Windows tasks executing new or unknown binaries.\r\nThis campaign’s post compromise activity was conducted with a high regard for operational security, in many cases\r\nleveraging dedicated infrastructure per intrusion. This is some of the best operational security that FireEye has\r\nobserved in a cyber attack, focusing on evasion and leveraging inherent trust. However, it can be detected through\r\npersistent defense.\r\nIn-Depth Malware Analysis\r\nSolarWinds.Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448) is a SolarWinds-signed plugin\r\ncomponent of the Orion software framework that contains an obfuscated backdoor which communicates via HTTP to\r\nthird party servers. After an initial dormant period of up to two weeks, it retrieves and executes commands, called\r\n“Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. The\r\nbackdoor’s behavior and network protocol blend in with legitimate SolarWinds activity, such as by masquerading as\r\nthe Orion Improvement Program (OIP) protocol and storing reconnaissance results within plugin configuration files.\r\nThe backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers.\r\nUnique Capabilities\r\nSubdomain DomainName Generation Algorithm (DGA) is performed to vary DNS requests\r\nCNAME responses point to the C2 domain for the malware to connect to\r\nThe IP block of A record responses controls malware behavior\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 6 of 12\n\nDGA encoded machine domain name, used to selectively target victims\r\nCommand and control traffic masquerades as the legitimate Orion Improvement Program\r\nCode hides in plain site by using fake variable names and tying into legitimate components\r\nDelivery and Installation\r\nAuthorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by\r\nSolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\n(02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this\r\nreport. After installation, the Orion software framework executes the .NET program\r\nSolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This\r\nplugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion\r\nframework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer\r\nimplements an HTTP-based backdoor. Code within the logically unrelated routine\r\nSolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the\r\nbackdoor code when the Inventory Manager plugin is loaded.\r\nSolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number\r\n0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.\r\nInitialization\r\nOn execution of the malicious SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer.Initialize\r\nmethod the sample verifies that its lower case process name hashes to the value 17291806236368054941. This hash\r\nvalue is calculated as the standard FNV-1A 64-bit hash with an additional XOR by 6605813339339102567 after\r\ncomputing the FNV-1A. This hash matches a process named \"solarwinds.businesslayerhost\".\r\nThe sample only executes if the filesystem write time of the assembly is at least 12 to 14 days prior to the current\r\ntime; the exact threshold is selected randomly from an interval. The sample continues to check this time threshold as\r\nit is run by a legitimate recurring background task. Once the threshold is met, the sample creates the named pipe\r\n583da945-62af-10e8-4902-a8f205c72b2e to act as a guard that only one instance is running before reading\r\nSolarWinds.Orion.Core.BusinessLayer.dll.config from disk and retrieving the XML field appSettings. The\r\nappSettings fields’ keys are legitimate values that the malicious logic re-purposes as a persistent configuration. The\r\nkey ReportWatcherRetry must be any value other than 3 for the sample to continue execution.\r\nThe sample checks that the machine is domain joined and retrieves the domain name before execution continues. A\r\nuserID is generated by computing the MD5 of a network interface MAC address that is up and not a loopback\r\ndevice, the domain name, and the registry value\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid. The userID is encoded via a\r\ncustom XOR scheme after the MD5 is calculated. The ReportWatcherPostpone key of appSettings is then read from\r\nSolarWinds.Orion.Core.BusinessLayer.dll.config to retrieve the initial, legitimate value. This operation is performed\r\nas the sample later bit packs flags into this field and the initial value must be known in order to read out the bit flags.\r\nThe sample then invokes the method Update which is the core event loop of the sample.\r\nDGA and Blocklists\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 7 of 12\n\nThe backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a\r\nsubdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the\r\ngeneration of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a\r\nreversible encoding of the victims local machine domain name. The attacker likely utilizes the DGA subdomain to\r\nvary the DNS response to victims as a means to control the targeting of the malware. These subdomains are\r\nconcatenated with one of the following to create the hostname to resolve:\r\n.appsync-api.eu-west-1[.]avsvmcloud[.]com\r\n.appsync-api.us-west-2[.]avsvmcloud[.]com\r\n.appsync-api.us-east-1[.]avsvmcloud[.]com\r\n.appsync-api.us-east-2[.]avsvmcloud[.]com\r\nProcess name, service name, and driver path listings are obtained, and each value is hashed via the FNV-1a + XOR\r\nalgorithm as described previously and checked against hardcoded blocklists. Some of these hashes have been brute\r\nforce reversed as part of this analysis, showing that these routines are scanning for analysis tools and antivirus\r\nengine components. If a blocklisted process is found the Update routine exits and the sample will continue to try\r\nexecuting the routine until the blocklist passes. Blocklisted services are stopped by setting their\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\\u003cservice_name\u003e\\Start registry entries to value 4 for disabled. Some\r\nentries in the service list if found on the system may affect the DGA algorithms behavior in terms of the values\r\ngenerated. The list of stopped services is then bit-packed into the ReportWatcherPostpone key of the appSettings\r\nentry for the samples’ config file. If any service was transitioned to disabled the Update method exits and retries\r\nlater. The sample retrieves a driver listing via the WMI query Select * From Win32_SystemDriver. If any blocklisted\r\ndriver is seen the Update method exits and retries. If all blocklist tests pass, the sample tries to resolve\r\napi.solarwinds.com to test the network for connectivity.\r\nNetwork Command and Control (C2)\r\nIf all blocklist and connectivity checks pass, the sample starts generating domains in a while loop via its DGA. The\r\nsample will delay for random intervals between the generation of domains; this interval may be any random value\r\nfrom the ranges 1 to 3 minutes, 30 to 120 minutes, or on error conditions up to 420 to 540 minutes (9 hours). The\r\nDNS A record of generated domains is checked against a hardcoded list of IP address blocks which control the\r\nmalware’s behavior. Records within the following ranges will terminate the malware and update the configuration\r\nkey ReportWatcherRetry to a value that prevents further execution:\r\n10.0.0.0/8\r\n172.16.0.0/12\r\n192.168.0.0/16\r\n224.0.0.0/3\r\nfc00:: - fe00::\r\nfec0:: - ffc0::\r\nff00:: - ff00::\r\n20.140.0.0/15\r\n96.31.172.0/24\r\n131.228.12.0/22\r\n144.86.226.0/24\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 8 of 12\n\nOnce a domain has been successfully retrieved in a CNAME DNS response the sample will spawn a new thread of\r\nexecution invoking the method HttpHelper.Initialize which is responsible for all C2 communications and\r\ndispatching. The HTTP thread begins by delaying for a configurable amount of time that is controlled by the\r\nSetTime command. The HTTP thread will delay for a minimum of 1 minute between callouts. The malware uses\r\nHTTP GET or HTTP POST requests. If the sample is attempting to send outbound data the content-type HTTP\r\nheader will be set to \"application/octet-stream\" otherwise to \"application/json\".\r\nA JSON payload is present for all HTTP POST and PUT requests and contains the keys “userId”, “sessionId”, and\r\n“steps”. The “steps” field contains a list of objects with the following keys: “Timestamp”, “Index”, “EventType”,\r\n“EventName”, “DurationMs”, “Succeeded”, and “Message”. The JSON key “EventType” is hardcoded to the value\r\n“Orion”, and the “EventName” is hardcoded to “EventManager”. Malware response messages to send to the server\r\nare DEFLATE compressed and single-byte-XOR encoded, then split among the “Message” fields in the “steps”\r\narray. Each “Message” value is Base64 encoded separately. Not all objects in the “steps” array contribute to the\r\nmalware message – the integer in the “Timestamp” field must have the 0x2 bit set to indicate that the contents of the\r\n“Message” field are used in the malware message. Step objects whose bit 0x2 is clear in the Timestamp field contain\r\nrandom data and are discarded when assembling the malware response.\r\nSteganography\r\nIn observed traffic these HTTP response bodies attempt to appear like benign XML related to .NET assemblies, but\r\ncommand data is actually spread across the many GUID and HEX strings present. Commands are extracted from\r\nHTTP response bodies by searching for HEX strings using the following regular expression: \"\\{[0-9a-f-]{36}\\}\"|\"[0-\r\n9a-f]{32}\"|\"[0-9a-f]{16}\". Command data is spread across multiple strings that are disguised as GUID and HEX\r\nstrings. All matched substrings in the response are filtered for non HEX characters, joined together, and HEX-decoded. The first DWORD value shows the actual size of the message, followed immediately with the message,\r\nwith optional additional junk bytes following. The extracted message is single-byte XOR decoded using the first\r\nbyte of the message, and this is then DEFLATE decompressed. The first character is an ASCII integer that maps to\r\nthe JobEngine enum, with optional additional command arguments delimited by space characters.\r\nCommands are then dispatched to a JobExecutionEngine based upon the command value as described next.\r\nSupported Commands\r\nCommand Value Operation\r\nIdle 0 No operation\r\nExit 1 Terminate the current thread.\r\nSetTime 2\r\nSets the delay time between main event loop executions Delay\r\nis in seconds, and varies random between [.9 * , 1.1 * ]. If the\r\ndelay is \u003c 300 it is doubled on the next execution through the\r\nloop, this means it should settle onto an interval of around [5,\r\n10] minutes. There is a second, unrelated delay routine that\r\ndelays for a random interval between [16hrs, 83hrs]\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 9 of 12\n\nCollectSystemDescription 3\r\nProfile the local system including hostname, username, OS\r\nversion, MAC addresses, IP address, DHCP configuration, and\r\ndomain information.\r\nUploadSystemDescription 4\r\nPerform a HTTP request to the specified URL, parse the\r\nresults and compare components against unknown hashed\r\nvalues. Format a report and send to the C2 server.\r\nRunTask 5 Starts a new process with the given file path and arguments\r\nGetProcessByDescription 6\r\nReturns a process listing. If no arguments are provided returns\r\njust the PID and process name. If an argument is provided it\r\nalso returns the parent PID and username and domain for the\r\nprocess owner.\r\nKillTask 7 Terminate the given process, by PID.\r\nGetFileSystemEntries 8\r\nGiven a path and an optional match pattern recursively list\r\nfiles and directories\r\nWriteFile 9\r\nGiven a file path and a Base64 encoded string write the\r\ncontents of the Base64 decoded string to the given file path.\r\nWrite using append mode. Delay for [1s, 2s] after writing is\r\ndone.\r\nFileExists 10 Tests whether the given file path exists.\r\nDeleteFile 11 Deletes the specified file path.\r\nGetFileHash 12\r\nCompute the MD5 of a file at a given path and return result as\r\na HEX string. If an argument is provided, it is the expected\r\nMD5 hash of the file and returns an error if the calculated\r\nMD5 differs.\r\nReadRegistryValue 13 Arbitrary registry read from one of the supported hives\r\nSetRegistryValue 14 Arbitrary registry write from one of the supported hives.\r\nDeleteRegistryValue 15 Arbitrary registry delete from one of the supported hives\r\nGetRegistrySubKeyAndValueNames 16\r\nReturns listing of subkeys and value names beneath the given\r\nregistry path\r\nReboot 17 Attempts to immediately trigger a system reboot.\r\nIndicators and Detections to Help the Community\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 10 of 12\n\nTo empower the community to detect this supply chain backdoor, we are publishing indicators and detections to help\r\norganizations identify this backdoor and this threat actor. The signatures are a mix of Yara, IOC, and Snort formats.\r\nA list of the detections and signatures are available on the Mandiant GitHub repository. We are releasing detections\r\nand will continue to update the public repository with overlapping detections for host and network-based indicators\r\nas we develop new or refine existing ones. We have found multiple hashes with this backdoor and we will post\r\nupdates of those hashes.\r\nMITRE ATT\u0026CK Techniques Observed\r\nID Description\r\nT1012 Query Registry\r\nT1027 Obfuscated Files or Information\r\nT1057 Process Discovery\r\nT1070.004 File Deletion\r\nT1071.001 Web Protocols\r\nT1071.004 Application Layer Protocol: DNS\r\nT1083 File and Directory Discovery\r\nT1105 Ingress Tool Transfer\r\nT1132.001 Standard Encoding\r\nT1195.002 Compromise Software Supply Chain\r\nT1518 Software Discovery\r\nT1518.001 Security Software Discovery\r\nT1543.003 Windows Service\r\nT1553.002 Code Signing\r\nT1568.002 Domain Generation Algorithms\r\nT1569.002 Service Execution\r\nT1584 Compromise Infrastructure\r\nImmediate Mitigation Recommendations\r\nPrior to following SolarWind’s recommendation to utilize Orion Platform release 2020.2.1 HF 1, which is currently\r\navailable via the SolarWinds Customer Portal, organizations should consider preserving impacted devices and\r\nbuilding new systems using the latest versions. Applying an upgrade to an impacted box could potentially overwrite\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 11 of 12\n\nforensic evidence as well as leave any additional backdoors on the system. In addition, SolarWinds has released\r\nadditional mitigation and hardening instructions.\r\nIn the event you are unable to follow SolarWinds’ recommendations, the following are immediate mitigation\r\ntechniques that could be deployed as first steps to address the risk of trojanized SolarWinds software in an\r\nenvironment. If attacker activity is discovered in an environment, we recommend conducting a comprehensive\r\ninvestigation and designing and executing a remediation strategy driven by the investigative findings and details of\r\nthe impacted environment.\r\nEnsure that SolarWinds servers are isolated / contained until a further review and investigation is conducted.\r\nThis should include blocking all Internet egress from SolarWinds servers.\r\nIf SolarWinds infrastructure is not isolated, consider taking the following steps:\r\nRestrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be\r\nconsidered Tier 0 / crown jewel assets\r\nRestrict the scope of accounts that have local administrator privileged on SolarWinds servers.\r\nBlock Internet egress from servers or other endpoints with SolarWinds software.\r\nConsider (at a minimum) changing passwords for accounts that have access to SolarWinds servers /\r\ninfrastructure. Based upon further review / investigation, additional remediation measures may be required.\r\nIf SolarWinds is used to managed networking infrastructure, consider conducting a review of network device\r\nconfigurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope\r\nof SolarWinds functionality, not based on investigative findings.\r\nAcknowledgements\r\nThis blog post was the combined effort of numerous personnel and teams across FireEye coming together. Special\r\nthanks to:\r\nAndrew Archer, Doug Bienstock, Chris DiGiamo, Glenn Edwards, Nick Hornick, Alex Pennino, Andrew Rector,\r\nScott Runnels, Eric Scales, Nalani Fraser, Sarah Jones, John Hultquist, Ben Read, Jon Leathery, Fred House, Dileep\r\nJallepalli, Michael Sikorski, Stephen Eckels, William Ballenthin, Jay Smith, Alex Berry, Nick Richard, Isif Ibrahima,\r\nDan Perez, Marcin Siedlarz, Ben Withnell, Barry Vengerik, Nicole Oppenheim, Ian Ahl, Andrew Thompson, Matt\r\nDunwoody, Evan Reese, Steve Miller, Alyssa Rahman, John Gorman, Lennard Galang, Steve Stone, Nick Bennett,\r\nMatthew McWhirt, Mike Burns, Omer Baig.\r\nAlso special thanks to Nick Carr, Christopher Glyer, and Ramin Nafisi from Microsoft.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-b\r\nackdoor.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" ], "report_names": [ "evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434023, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55c6113e8a746a921be43928353b9ce4fe4ad924.pdf", "text": "https://archive.orkl.eu/55c6113e8a746a921be43928353b9ce4fe4ad924.txt", "img": "https://archive.orkl.eu/55c6113e8a746a921be43928353b9ce4fe4ad924.jpg" } }