{ "id": "37959e5a-e7f0-4fa2-a62f-e67e9d8457f3", "created_at": "2026-04-06T00:13:16.680699Z", "updated_at": "2026-04-10T13:13:04.441663Z", "deleted_at": null, "sha1_hash": "8ac527d0eaecec6e025d0e83163552dd6b84533a", "title": "SolarWinds advanced cyberattack: What happened and what to do now", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 706943, "plain_text": "SolarWinds advanced cyberattack: What happened and what to do\r\nnow\r\nBy Mark Stockley\r\nPublished: 2020-12-13 ยท Archived: 2026-04-05 20:37:29 UTC\r\nDecember 14, 2020\r\nWe learned more about the sophisticated attack first disclosed on December 8 when security firm FireEye reported\r\nit had been the victim of a state-sponsored adversary that stole Red Team assessment tools.\r\nOn December 13 there was a new development when IT company SolarWinds announced it had been hacked and\r\nthat its compromised software channel was used to push out malicious updates onto 18,000 of its Orion platform\r\ncustomers.\r\nThis scenario, referred to as a supply-chain attack, is perhaps the most devious and difficult to detect as it relies on\r\nsoftware that has already been trusted and that can be widely distributed at once. Among the victims who received\r\nthe malicious update are FireEye, Microsoft and the US Treasury and Commerce departments, making this one of\r\nthe biggest cyber incidents we have witnessed in years.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/\r\nPage 1 of 5\n\nThe Department of Homeland Security has issued an emergency directive to order all federal agencies to take\r\nimmediate steps in putting affected SolarWinds Orion products offline and reporting back any incident by\r\nMonday.\r\nWe do know that the threat actors were in for a much bigger prize than the offensive tools stolen from security\r\nfirm FireEye, although this incident helped to uncover a very advanced operation with deep ramifications. As this\r\nstory is still unfolding we will keep our customers informed of any newer developments.\r\nArticle continues below this ad.\r\nCall to action\r\nImmediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1,\r\nreleased between March 2020 and June 2020.\r\nScan your premises using Malwarebytes and look for any detection, and in particular Backdoor.Sunburst\r\nand Backdoor.WebShell.\r\nUse the Indicators of Compromise at the end of this blog to hunt within your logs, telemetry and other\r\nSIEM data to give a timeline perspective to any potential intrusion.\r\nPerform a comprehensive security sweep to review and harden your physical and cloud infrastructure.\r\nUpgrade to Orion Platform version 2020.2.1 HF 2 and restore systems once you feel confident with the\r\nprevious steps.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/\r\nPage 2 of 5\n\nFurther reading\r\nSolarWinds: SolarWinds Security Advisory\r\nFireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global\r\nVictims With SUNBURST Backdoor\r\nMicrosoft: Customer Guidance on Recent Nation-State Cyber Attacks\r\nVolexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations\r\nCISA: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and\r\nPrivate Sector Organizations\r\nMicrosoft: Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and\r\nhow Microsoft Defender helps protect\r\nIndicators of Compromise (IOCs)\r\nThis list has been put together from several sources. Kudos to FireEye and Microsoft for sharing IOCs and TTPs\r\nso quickly.\r\nSolarWinds.Orion.Core.BusinessLayer.dll\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\ndab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b\r\neb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed\r\nc09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77\r\nac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\r\na25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc\r\nd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af\r\n0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589\r\n6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/\r\nPage 3 of 5\n\nCORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\nd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600\r\nappweblogoimagehandler.ashx.b6031896.dll\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nAdditional DLLs\r\ne0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d\r\n20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9\r\n2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d\r\na3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d\r\n92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690\r\na58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2\r\ncc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6\r\nTEARDROP\r\nb820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\n1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\r\nRaindrop (Source)\r\nf2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418\r\nbe9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725\r\n955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3\r\n240ef5b8392b8c7a5a025c36a7e5b0e03e5bb0d0d1a28703bb22e6159a4fd10e\r\nf2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418\r\n955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3\r\nbe9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725\r\nNetwork indicators\r\navsvmcloud[.]com\r\ndeftsecurity[.]com\r\nfreescanonline[.]com\r\nthedoccloud[.]com\r\nwebsitetheme[.]com\r\nhighdatabase[.]com\r\nincomeupdate[.]com\r\ndatabasegalore[.]com\r\npanhardware[.]com\r\nzupertech[.]com\r\n13.59.205[.]66\r\n54.193.127[.]66\r\n54.215.192[.]52\r\n34.203.203[.]23\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/\r\nPage 4 of 5\n\n139.99.115[.]204\r\n5.252.177[.]25\r\n5.252.177[.]21\r\n204.188.205[.]176\r\n51.89.125[.]18\r\n167.114.213[.]199\r\nAdditional hunting rules: https://github.com/fireeye/sunburst_countermeasures/tree/main/rules\r\nSource: https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-softwar\r\ne-update/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/" ], "report_names": [ "advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434396, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ac527d0eaecec6e025d0e83163552dd6b84533a.pdf", "text": "https://archive.orkl.eu/8ac527d0eaecec6e025d0e83163552dd6b84533a.txt", "img": "https://archive.orkl.eu/8ac527d0eaecec6e025d0e83163552dd6b84533a.jpg" } }