{
	"id": "54fb2162-5d79-40c1-8990-5f942176ffa8",
	"created_at": "2026-04-06T00:13:15.884956Z",
	"updated_at": "2026-04-10T03:20:31.019798Z",
	"deleted_at": null,
	"sha1_hash": "c0435ece25e063b9dcdc0cf26f217d8f52113b94",
	"title": "Ongoing Analysis of SolarWinds Impacts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116478,
	"plain_text": "Ongoing Analysis of SolarWinds Impacts\r\nBy Rami Mizrahi\r\nPublished: 2021-01-26 · Archived: 2026-04-05 21:24:07 UTC\r\nIf you are following the latest updates on the SolarWinds attack, you may have seen that hq.fidelis is now included\r\nin the growing list of domains known to have been targeted by the attackers. While hq.fidelis is not conclusively\r\nFidelis Security, it certainly could be associated with us and something we needed to investigate further. In this\r\nblog, we, Fidelis TRT team, will provide you with the latest information we have on this as well as our efforts to\r\ndate to investigate and determine if there has been any impact to our networks and data.\r\nTo date we have not turned up any evidence that the SolarWinds compromise has impacted our networks;\r\nalthough, our analysis continues. In the spirit of openness and the trust we have with our customers, partners, and\r\nthe greater security community, we are providing a detailed account of our investigation and will continue to\r\nupdate it here.\r\nOn Monday, 1/25, security research firm NETRESEC AB published a list of 23 domains containing the\r\n“STAGE2” flag in SUNBURST’s DNS beacons[1]. The “STAGE 2” flag identifies domains that were singled out\r\nas interesting targets by the threat actors, and “hq.fidelis” was included in that list. The diagram below indicates\r\nthe three stages of the SUNBURST attack sequence as identified by FireEye.\r\nRef: NETRESEC Blog\r\nFollowing the FireEye/SolarWinds disclosure in December, we initiated an internal review of Fidelis networks\r\nunder the assumption that we too could have been a target. We do not use SolarWinds Orion software for\r\nmanagement of our corporate systems; however, the nature of our work requires us to test all kinds of software for\r\ncompatibility with our products and we wanted to rule out use of SolarWinds software anywhere within our\r\nnetworks. Using Fidelis Endpoint, we were able to determine that we had installed an evaluation copy of the\r\ntrojanized SolarWinds Orion software on one of our machines in May 2020 as part of a software evaluation and as\r\na result, we continued to dig deeper. The software installation was traced to a machine configured as a test system,\r\nisolated from our core network, and infrequently powered on.\r\nhttps://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/\r\nPage 1 of 2\n\nOur initial review also included analysis of Fidelis Network metadata and various system logs using threat\r\nindicators provided by the Fidelis Threat Research Team (TRT) as well as threat indicators and analysis tools\r\npublished by others. One of those tools was NETRESEC’s Sunburst Domain Decoder Tool[2] that filters and\r\ndecodes passive DNS (pDNS) records associated with the SUNBURST “STAGE 1” callout domain (avsvmcloud).\r\nUsing the pDNS sources available at the time, we did not identify the “hq.fidelis” domain in pDNS records\r\nassociated with SUNBURST.\r\nOn Friday evening (1/23), we identified an additional source of pDNS information and using the Sunburst Domain\r\nDecoder Tool were able to confirm that a machine on hq.fidelis domain had communicated with the SUNBURST\r\ncallout “STAGE 1” domain and hq.fidelis was flagged by the attackers as a domain of interest and worth targeting.\r\nFrom analysis of the pDNS records we were able to identify a four-day period in May where the machine on our\r\nnetwork communicated with the malware’s “STAGE 1” infrastructure (avsvmcloud). Analysis of pDNS records\r\nalso indicated that the malware set the “STAGE 2” flag within the DNS transaction indicating that we were a\r\ntarget of interest to the attacker. We, however, have not been able to identify any follow-on pDNS or DNS\r\ntransactions that provide a CNAME for the malware’s “STAGE 3” C2 infrastructure (we would certainly\r\nappreciate any pointers to this information from the security researcher community if they have additional\r\ninformation to offer). The absence of DNS records that provide a CNAME for the “STAGE 3” command and\r\ncontrol would indicate that the malware on our system may not have received a CNAME required for it to\r\ncommunicate with the ”STAGE 3” C2 infrastructure.\r\nOur current belief, subject to change given additional information, is that the test and evaluation machine where\r\nthis software was installed was sufficiently isolated and powered up too infrequently for the attacker to take it to\r\nthe next stage of the attack.\r\nThough we have not identified any evidence to date that the SolarWinds compromise has impacted our networks,\r\nwe will continue to investigate potential impacts using our own tooling much like we recommend our customers\r\ndo. While we are not happy about being targeted by the attackers behind the SolarWinds, FireEye, Microsoft, and\r\nMalwarebytes attacks, we think this is a good learning opportunity both for our own internal team (i.e., drink your\r\nown champagne and practice your incident response plan), as well as the security community on the best practices\r\nto apply to an advanced adversary attack like “SUNBURST”. To this end we will publish best practices for\r\nidentifying whether your enterprise may be under attack from an adversary like the one behind the SolarWinds\r\nattack as well as our findings.\r\nReferences\r\n1. ^https://www.netresec.com/?page=Blog\u0026month=2021-01\u0026post=Twenty-three-SUNBURST-Targets-Identified\r\n2. ^https://www.netresec.com/?page=Blog\u0026month=2021-01\u0026post=Finding-Targeted-SUNBURST-Victims-with-pDNS\r\nSource: https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/\r\nhttps://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/"
	],
	"report_names": [
		"ongoing-analysis-solarwinds-impact"
	],
	"threat_actors": [],
	"ts_created_at": 1775434395,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0435ece25e063b9dcdc0cf26f217d8f52113b94.pdf",
		"text": "https://archive.orkl.eu/c0435ece25e063b9dcdc0cf26f217d8f52113b94.txt",
		"img": "https://archive.orkl.eu/c0435ece25e063b9dcdc0cf26f217d8f52113b94.jpg"
	}
}