{ "id": "2ef9e074-5e21-4cd5-8d10-c6e517d6656e", "created_at": "2026-04-06T00:08:49.085161Z", "updated_at": "2026-04-10T13:12:27.920186Z", "deleted_at": null, "sha1_hash": "b31b565ca660964fad9327603d6a1d916ee00b2c", "title": "SOLARWINDS HACK - Sunburst, Supernova and more - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114501, "plain_text": "SOLARWINDS HACK - Sunburst, Supernova and more -\r\nCYFIRMA\r\nBy adminanna\r\nPublished: 2020-12-24 · Archived: 2026-04-05 20:28:09 UTC\r\nPublished On : 2020-12-24\r\nResearch on this cyberattack is ongoing. Its full magnitude and impact are still under investigation. This report\r\nwill be updated by CYFIRMA researchers as new data comes to light.\r\nReport covers the following:\r\nOUTLINE\r\n1. Summary\r\n2. Introduction\r\n3. Key Findings\r\n4. Suspected Threat Actors\r\n5. Insights\r\n6. YARA Rules\r\n7. Recommendations\r\n8. Indicators of Compromise\r\n9. Extract of List of Organizations affected by the campaign (As of 21 December 2020)\r\nSUMMARY\r\nAttack Vector: Vulnerabilities and Exploits, Steganography\r\nObjective: Lateral Movement, Data Exfiltration, Credential Theft\r\nSuspected Hacker Group: Unknown Russian Groups \u003cReach out to CYFIRMA for details\u003e\r\nTarget Country: Global\r\nhttps://www.cyfirma.com/solarwinds-hack-sunburst-supernova-and-more/\r\nPage 1 of 4\n\nTarget Industry: Government agencies, Universities, Manufacturing, Hospitals, Telco and Technology,\r\nSemiconductor, Retail, Financial, and many more\r\nType of Attack: Supply Chain\r\nTarget Technology: SolarWinds – Orion Platform 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 HF 1\r\nDetected Date: 13 December 2020\r\nAttack Status: On-going\r\nRisk Rate: High\r\nINTRODUCTION\r\nAs per researchers, threat actors have gained access to numerous institutions and organizations around the world\r\nin a widespread campaign, known as UNC2452. This was executed by trojanizing SolarWinds Orion business\r\nsoftware updates that inserted a vulnerability (SUNBURST) within their Orion Platform software builds for\r\nversions 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 HF 1, which, if present and activated, potentially\r\nallowed attackers to compromise the server on which the Orion products run.\r\nSubsequent activity after this supply chain compromise has included lateral movement and data theft. The\r\ncampaign is the work of a highly qualified set of possibly state-sponsored threat actors and the operation was\r\ncarried out with significant operational efficacy and competency.\r\nThe cyberattack, which began to be exploited last spring, targeted numerous entities of the US administration, in\r\naddition to public and private organizations from around the world. Potentially attributed to Russia, it would be\r\none of the most unsettling attacks identified in years.\r\nIn the subsequent analysis of the trojanized Orion artifacts, the .NET .dll\r\napp_web_logoimagehandler.ashx.b6031896.dll was dubbed SUPERNOVA, details of its operations are still being\r\nuncovered and progressively getting explored publicly.\r\nAfter an initial period of inactivity of up to two weeks, the backdoors recover and run commands, called “Jobs,”\r\nwhich include the ability to transfer files, run files, profile the system, reboot the machine, and disable system\r\nservices. The malware disguises its network traffic as the Orion Improvement Program (OIP) protocol and stores\r\nthe recognition results within legitimate plug-in configuration files, allowing it to integrate with legitimate\r\nSolarWinds activity. The backdoors use multiple obfuscated block lists to identify forensic and antivirus tools\r\nrunning as processes, services, and drivers.\r\nKEY FINDINGS\r\nPost-compromise behavior following this supply chain compromise involved lateral movement and data theft. The\r\ncampaign is the work of a highly-skilled threat actor and the operation was conducted with significant operational\r\nproficiency and persistence.\r\nTraces of SUPERNOVA (Latest)\r\nBy analyzing artifacts from the SolarWinds Orion supply chain attack, security researchers uncovered another\r\nbackdoor, likely coming from a different threat actor. Dubbed SUPERNOVA, the malware is a webshell planted in\r\nhttps://www.cyfirma.com/solarwinds-hack-sunburst-supernova-and-more/\r\nPage 2 of 4\n\nthe code of the Orion network and application monitoring platform and has allowed adversaries to execute\r\narbitrary code on machines running the Trojan horse version of the software.\r\nThe webshell is a Trojan variant of a legitimate .NET library ( app_web_logoimagehandler.ashx.b6031896.dll )\r\npresent in the SolarWinds Orion software, modified to allow it to bypass automated defense mechanisms.\r\nOrion software uses the DLL to expose an HTTP API, allowing the host to respond to other subsystems when\r\nrequesting a specific GIF image.\r\nResearchers analysing the DLL concluded that malware could escape even manual analysis, as the code\r\nimplemented in the legitimate DLL is harmless and of “relatively high quality”. Threat actors have added four new\r\nparameters to the legitimate SolarWinds file to receive signals from the command and control infrastructure (C2).\r\nThe malicious code contains a unique method, DynamicRun, that compiles the parameters to an in-memory .NET\r\nassembly on the fly, leaving no artifacts on the disk of a compromised device. In this way, the attacker can send\r\narbitrary code to the infected device and execute it in the context of the user, who most often has elevated\r\nprivileges and visibility on the network.\r\nMost webshells run their payloads in the context of the runtime environment or by calling a subshell or process\r\nsuch as CMD, PowerShell, or Bash.\r\nMicrosoft believes that SUPERNOVA is likely the work of an adversary different than the one who breached\r\ncybersecurity firm FireEye and more than half a dozen US government entities.\r\nSUNBURST Backdoor (Earlier)\r\nSolarWinds.Orion.Core.BusinessLayer.dll is a digitally signed Orion software system component that includes a\r\nbackdoor that communicates to a third-party servers using HTTP. This SolarWinds Orion plugin is being\r\nmonitored as a trojanised version.\r\nIt retrieves and runs commands, called “Jobs,” after an initial sleeping time of up to two weeks, which includes\r\nfile capability, executing scripts, profiling programs, rebooting the computer, and deactivating device services.\r\nThe malware masks its network traffic as a protocol for the Orion Improvement Program (OIP) and stores\r\nrecognition results from invalid plugin configuration files that allow it to integrate with legit SolarWinds\r\noperation. The backdoor is used to classify forensic and anti-virus methods as systems, utilities, and drivers using\r\nseveral fog lists.\r\nPost-Compromise Operations\r\nAfter gaining initial access, this group uses a variety of tactics to cover up their activities when advancing\r\nlaterally. These threat actors tend to keep a light malware footprint, choosing to provide the legal certificate and\r\nremote access to the victim’s environment.\r\nTEARDROP is a memory-only dropper that operates as a service, spawns a thread, and reads “gracious truth.jpg”\r\nfrom a file that is likely to have a bogus JPG header. Then, verify that HKU\\SOFTWARE\\Microsoft\\CTF exists,\r\ndecode an embedded payload using a custom XOR rolling algorithm, and manually load an embedded payload\r\nhttps://www.cyfirma.com/solarwinds-hack-sunburst-supernova-and-more/\r\nPage 3 of 4\n\ninto memory using a custom PE-like file format. TEARDROP has no incompatible coding for any previously seen\r\nmalware.\r\nThe threat actor sets hostnames on their command-and-control infrastructure to represent the legal hostname\r\ncontained in the victim’s setting. This helps the adversary to pass into the atmosphere, avoid suspicion, and avoid\r\ndetection.\r\nSolarWinds.Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448) is a SolarWinds-signed plugin\r\nfeature of the Orion software system that includes an obfuscated backdoor that communicates to third party\r\nservers through HTTP. After an initial inactive duration of up to two weeks, it retrieves and executes commands\r\ncalled “Jobs,” which provide the ability to pass and execute data, device profile, and disable system services.\r\nBackdoor’s behavior and network protocol combine into legitimate SolarWinds operations, such as masking the\r\nOrion Improvement Program (OIP) protocol and storing identification data in plugin configuration files. Backdoor\r\nuses a range of blocklists to identify forensically and anti-virus approaches through networks, services, and\r\ndrivers.\r\nResearchers have claimed that FireEye, Microsoft, and Godaddy worked together to build a “kill switch,” for the\r\nSunburst malware.\r\nSUSPECTED THREAT ACTORS\r\nUnknown Russian Groups. Reach out to CYFIRMA for detailed insights on the attributions and correlations.\r\nINSIGHTS\r\nSolarWinds is a well-known managed services provider that provides a range of tools and services to\r\norganizations to manage their IT infrastructure. Adversaries have interfered with the SolarWinds’ Orion platform,\r\na software used to monitor and manage large networks. It is expected that the software update version between\r\n2019.4 and 2020.2.1 has been exploited by the adversaries. The company has now released a fix to version\r\n2020.2.1 HF 2.\r\nResearchers warned that software updates for SolarWinds’ Orion product had been subverted by backdoors\r\ndubbed SUPERNOVA and SUNBURST. Malicious software updates, which have been signed with valid digital\r\nsignatures, could steal files, profile systems, and disable system services.\r\nThreat actors are upgrading their arsenal with new and sophisticated malware tools to target organizations and\r\nexfiltrate sensitive information. Threat actors are observed pushing their malware/tools as part of updates of a\r\nlegitimate application and using steganography to evade detection.\r\nFor more research data on Yara Rules, IoCs, and hashes, email CONTACT@CYFIRMA.COM\r\nSource: https://www.cyfirma.com/solarwinds-hack-sunburst-supernova-and-more/\r\nhttps://www.cyfirma.com/solarwinds-hack-sunburst-supernova-and-more/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cyfirma.com/solarwinds-hack-sunburst-supernova-and-more/" ], "report_names": [ "solarwinds-hack-sunburst-supernova-and-more" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434129, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b31b565ca660964fad9327603d6a1d916ee00b2c.pdf", "text": "https://archive.orkl.eu/b31b565ca660964fad9327603d6a1d916ee00b2c.txt", "img": "https://archive.orkl.eu/b31b565ca660964fad9327603d6a1d916ee00b2c.jpg" } }