{ "id": "8b92d7f1-f272-4ab6-97f7-f8b7da0f8f34", "created_at": "2026-04-06T00:17:48.010096Z", "updated_at": "2026-04-10T03:37:33.160678Z", "deleted_at": null, "sha1_hash": "c186c76caaa69474c82aea2ae221c203501e4114", "title": "The SolarWinds Orion SUNBURST Supply-chain Attack - Trulysuper", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 157300, "plain_text": "The SolarWinds Orion SUNBURST Supply-chain Attack - Trulysuper\r\nBy siteadmin\r\nPublished: 2020-12-16 · Archived: 2026-04-05 13:24:39 UTC\r\nUPDATE 2020-12-19 23:20 UTC: updated results table\r\nUPDATE 2020-12-21 15:37 UTC: updated section on C2 infrastructure based on current findings\r\nUPDATE 2020-12-22 17:04 UTC: added link to Invoke-SunburstDecoder\r\nUPDATE 2020-12-22 22:48 UTC: added section: Disabling security services and avoiding detection\r\nUPDATE 2020-12-23 17:33 UTC: updated results table\r\nUPDATE 2021-01-26 13:00 UTC: clarified some of the statements about targeted organizations, as they are only\r\nassumptions.\r\nThis post provides a list of internal names of organizations that had the SUNBURST backdoor installed, as well as which of\r\nthese organizations have indications of having proceeded to the second stage of the attack, where further internal\r\ncompromise might have taken place.\r\nSummary\r\nThe recent SolarWinds Orion hack is part of a cyber attack that is one of the most severe in history.\r\nA supply chain attack leveraged SolarWinds Orion updates to deliver a backdoor to potentially 18,000 SolarWinds\r\ncustomers. The attack was highly sophisticated.\r\nThe infected systems in the various compromised organizations were configured to probe the threat actor systems to request\r\ninstructions.\r\nTruesec Threat Intelligence analyzed the malware, as well as historical network data, to determine some of the affected\r\norganizations that the threat actor might have explicitly selected for further activities, where it is possible that further\r\ninternal compromise took place. These assumptions are based on historical network data (passive DNS) and the logic within\r\nthe malware when handling certain responses.\r\nWhile this is likely only a small part of the scope of the attack, it provides indications on the type of organizations that were\r\npotentially the real targets of the attack.\r\nSome names stand out, such as ggsg-us.cisco (Cisco GGSG), us.deloitte.co (Deloitte), nswhealth.net (NSW Ministry of\r\nHealth in Australia), banccentral.com (service supplier of IT and security for banks), and many others.\r\nThe impact of this attack is likely to be of gigantic proportions. The full extent of this breach will most likely never be\r\ncommunicated to the public, and instead will be restricted to trusted parts of the intelligence community.\r\nIntroduction\r\nA supply chain attack leveraged SolarWinds to deliver malicious software updates to their customers (approximately 18.000\r\npotentially affected customers according to SolarWinds). The update installed a sophisticated backdoor giving the threat\r\nactor the ability to access selected targets and proceed with further activities inside the compromised organizations.\r\nIt is believed that the attack was carried out by a nation-state actor, likely APT29 a.k.a. Cozy Bear, i.e. Russian Intelligence.\r\nFireEye and Microsoft initially published reports[1][2] describing some of the inner workings of the backdoor. A second,\r\nmore detailed, post was later published by FireEye[15]. The backdoor is remarkably sophisticated and is worth a long\r\ntechnical description, while only some of its functionalities and characteristics are described in this article.\r\nTruesec Threat Intelligence analyzed the backdoor as well as historical network data to identify patterns revealing possible\r\nvictims.\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 1 of 16\n\nDue to the nature of the attack, a large number of organizations around the world have been affected by the backdoor, while\r\nlikely only a smaller number were specifically selected and targeted by the threat actor to conduct additional internal\r\ncompromise (phase 2).\r\nTechnical Background\r\nThe threat actor was able to inject a backdoor in the Solarwinds Orion software by modifying the source code of an existing\r\nplugin, which was then signed by Solarwinds and published as part of an update available on the SolarWinds website.\r\nSolarWinds published an advisory[3] specifying the versions affected.\r\nThe malicious update has been available for several months and there are indications of breaches as early as March 2020.\r\nOne of the identified malicious updates was hosted at the following URL:\r\nhxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v\r\nThe update package was properly digitally-signed, as shown below.\r\nSUNBURST backdoor update package signed by Solarwinds\r\nFigure 1 – Malicious Solarwinds Orion update containing SUNBURST backdoor\r\nThe backdoor code was made part of the following digitally-signed Orion component:\r\nSolarWinds.Orion.Core.BusinessLayer.dll\r\nThis DLL is also signed.\r\nSUNBURST backdoor Orion DLL signed by Solarwinds\r\nFigure 2 – Malicious Solarwinds Orion DLL containing SUNBURST backdoor\r\nThe backdoor implements sophisticated functionality to communicate with the threat actor infrastructure and applies logic to\r\ndetermine what actions should be taken.\r\nAs a large number of Orion servers around the world have been infected with the backdoor, the threat actor had to have a\r\nway to determine which organization was contacting the attack infrastructure to be able to select the real target of this attack.\r\nThis logic is partially explained below. For details see the FireEye article [15].\r\nThe hacked servers that received the Solarwinds backdoor periodically probe the threat actor infrastructure with a DNS\r\nquery like the following:\r\n\u003cDGA_value\u003e.appsync-api.eu-west-1[.]avsvmcloud[.]com\r\nwhere \u003cDGA_value\u003e is computed with a DomainName Generation Algorithm and contains an encoded version of the\r\ninternal Active Directory name of the infected server. The threat actor server decodes the information in the DNS requests\r\nand uses the internal domain name of the organization to determine what instructions to send back.\r\nTruesec reversed the backdoor and identified a set of IP address ranges that, when received as part of the DNS response, will\r\ndetermine the actions taken by the backdoor code. Part of this code is illustrated in the figure below.\r\nSolarwinds sunburst backdoor reversed showing IP ranges used to determine next actions\r\nFigure 3 – Reversed SUNBURST backdoor showing IP ranges used to determine next actions\r\nThe AddressFamily field determines what the backdoor should do next, which can be roughly summarized as follows:\r\nAtm or ImpLink : Terminate (killswitch).\r\nIpx : Go to initial state and keep polling.\r\nNetBios: Start or continue second stage. Can initialize an HTTP backdoor channel used to collect additional information and\r\ndeploy a second stage malware (specified by the threat actor at the time of instructions, and therefore specific to the target).\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 2 of 16\n\nWe can therefore assume that if the initial probe was answered with an address of type NetBios, the threat actor had\r\nconfigured the backdoor to move to the second stage, which is where additional malware can be deployed to possibly\r\nperform additional internal compromise.\r\nGiven the number of affected organizations, it is still likely that a large number of victims with indications of stage 2, as\r\ndescribed here, were later filtered out by the threat actor (not deemed worthy of further attack).\r\nIdentifying Internal Names of Victims\r\nThe DomainName Generation Algorithm described earlier, used to create a DNS query containing an encoded value of the\r\ninternal domain name of the compromised organization, can be reversed.\r\nRedDrip Team published a report[4] and a script[5] to decode the DGA part of the DNS requests, therefore allowing to\r\nretrieve the cleartext value of the internal domain name of the hacked server that made the request.\r\nFor example, if a compromised server makes the following request to the threat actor server:\r\nciepcqqog816s6urtt6t0kf60ceo6e20.appsync-api.us-east-2.avsvmcloud[.]com\r\nThis can be decoded to obtain the following internal name of the victim:\r\nggsg-us.cisco\r\nThis means that having records of performed DNS requests to avsvmcloud[.]com will reveal the internal names of the\r\ncompromised organizations.\r\nThe SUNBURST backdoor uses the following three parameters to create a “Host Id” used in the DNS requests:\r\nMAC address of the network interface\r\nInternal domain name that the machine is joined to\r\nMachine Guid from HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid\r\nSince the DGA values from DNS requests can be decoded, if you have a DNS request and you want to see if it was\r\ngenerated from a certain machine, you only need to know MAC address, internal domain name, and machine Guid.\r\nThis can be extremely helpful during investigations to determine if a machine had a communicating SUNBURST backdoor\r\non it. We wrote a PowerShell script that can be used for this, based on the great work by Erik Hjelmvik, Netresec.\r\nIdentifying Threat Actor Instructions\r\nThe next step was to obtain historical records of DNS requests, including the response. We obtained some of the available\r\nhistorical data[6].\r\nThe sample data contains 1528 DNS requests to avsvmcloud[.]com and their responses.\r\nWhen filtered for requests matching the DGA algorithm syntax, we have requests with dates ranging from early April to\r\nDecember 2020.\r\nThis is an example of such request and response:\r\ndate : 2020-04-19 08:24:26\r\nlast_seen : 2020-04-19 08:24:27\r\nqtype : 1\r\ndomain : avsvmcloud.com\r\nqname : q8bps26mocuq6re4dutru70ct2w.appsync-api.us-east-1.avsvmcloud.com\r\nvalue_ip : 8.18.144.138\r\ntype : ip\r\n_key : 0e8ab64d5f5aff04fea862f4f72fcf1d04c3d377\r\nvalue : 8.18.144.138\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 3 of 16\n\nFrom this data we can determine that on April 19th\r\n, a request was made that decodes to the internal name pageaz.gov, and\r\nreceived as response 8.18.144.138, which according to the backdoor logic explained earlier maps to address type NetBios,\r\nmeaning that the threat actor might have deployed an HTTP backdoor in this environment.\r\nCommand and Control Infrastructure\r\nBy analyzing the IP addresses returned when instructing infected servers to establish an HTTP backdoor, we can identify the\r\nfollowing blocks.\r\nIP block Registered Organization (WHOIS information)\r\n184.72.0.0 / 255.254.0.0 Amazon.com, Inc.\r\n71.152.53.0 / 255.255.255.0 Amazon.com, Inc.\r\n8.18.144.0 / 255.255.254.0 Amazon Inc.\r\n87.238.80.0 / 255.255.248.0 Amazon Data Services Ireland DUB3 Datacentre\r\n18.130.0.0 / 255.255.0.0 Amazon Technologies Inc.\r\n99.79.0.0 / 255.255.0.0 Amazon Data Services Canada\r\n199.201.117.0 / 255.255.255.0 Traiana, Inc\r\nTable 1 – List of IP blocks used when instructing systems to establish an HTTP backdoor, mapped to WHOIS information\r\nThese IP blocks are not used to establish the HTTP connection. Instead, if a CNAME record is contained in the response,\r\nthat is the address used as C2 address for the new HTTP channel. FireEye listed the CNAME responses that they have\r\nobserved as part of their indicators of compromise[9]. These are also reported below for convenience:\r\nfreescanonline[.]com\r\ndeftsecurity[.]com\r\nfreescanonline[.]com\r\nthedoccloud[.]com\r\nWe initially thought that the A records in the blocks above were the C2 addresses, which would also make sense as almost\r\nall are part of the Amazon infrastructure and threat actors often use cloud providers to host their attack infrastructure. This\r\nwould have also meant that the block belonging to Traiana, Inc could potentially be under the control of the threat actor.\r\nTruesec Threat Intelligence observed a large number of DNS responses from the threat actor server providing different IP\r\naddresses in the range 199.201.117.0/24 for the next stage.\r\nAt this point in time, it does not seem that these IP blocks were under the control of the threat actor, but were instead\r\ndeliberately used as part of the logic within the backdoor.\r\nPutting the Pieces Together\r\nWe have decoded the DGA parts of the requests to identify internal domain names of compromised organizations, correlated\r\nthat with the responses received from the threat actor server, and mapped them with the hardcoded list of IP ranges in the\r\nbackdoor code.\r\nThis gives us a (partial) list of breached organizations, and which ones had the SUNBURST backdoor configured for the\r\nsecond stage of the attack where further internal compromise might have taken place.\r\nNote that some of the names are truncated. Further analysis is ongoing to determine if this can be improved.\r\nThe results are summarized at the bottom of this post. This list contains the decoded values of internal domain names. We\r\ncan therefore only assume that they belong to an organization based on the name of the domains and publicly available\r\ninformation.\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 4 of 16\n\nSome of the internal names stand out, such as ggsg-us.cisco (Cisco GGSG), us.deloitte.co (Deloitte), nswhealth.net (NSW\r\nMinistry of Health in Australia), banccentral.com (service supplier of IT and security for banks), and many others.\r\nDisabling Security Services and Avoiding Detection\r\nThe backdoor keeps an eye on a number of processes, services, and device drivers. It simply avoids running if any of the\r\nfollowing 137 processes are detected on the system.\r\napimonitor-x64\r\napimonitor-x86\r\nautopsy64\r\nautopsy\r\nautoruns64\r\nautoruns\r\nautorunsc64\r\nautorunsc\r\nbinaryninja\r\nblacklight\r\ncutter\r\nde4dot\r\ndebugview\r\ndiskmon\r\ndnsd\r\ndnspy\r\ndotpeek32\r\ndotpeek64\r\ndumpcap\r\nexeinfope\r\nfakedns\r\nfakenet\r\nffdec\r\nfiddler\r\nfileinsight\r\nfloss\r\ngdb\r\nhiew32\r\nidaq64\r\nidaq\r\nidr\r\nildasm\r\nilspy\r\njd-gui\r\nlordpe\r\nofficemalscanner\r\nollydbg\r\npdfstreamdumper\r\npe-bear\r\npebrowse64\r\npeid\r\npe-sieve32\r\npe-sieve64\r\npestudio\r\npeview\r\npexplorer\r\nppee\r\nppee\r\nprocdump64\r\nprocdump\r\nprocesshacker\r\nprocexp64\r\nprocexp\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 5 of 16\n\nprocmon\r\nprodiscoverbasic\r\npy2exedecompiler\r\nr2agent\r\nrabin2\r\nradare2\r\nramcapture64\r\nramcapture\r\nreflector\r\nregmon\r\nresourcehacker\r\nretdec-ar-extractor\r\nretdec-bin2llvmir\r\nretdec-bin2pat\r\nretdec-config\r\nretdec-fileinfo\r\nretdec-getsig\r\nretdec-idr2pat\r\nretdec-llvmir2hll\r\nretdec-macho-extractor\r\nretdec-pat2yara\r\nretdec-stacofin\r\nretdec-unpacker\r\nretdec-yarac\r\nrundotnetdll\r\nsbiesvc\r\nscdbg\r\nscylla_x64\r\nscylla_x86\r\nshellcode_launcher\r\nsolarwindsdiagnostics\r\nsysmon64\r\nsysmon\r\ntcpdump\r\ntcpvcon\r\ntcpview\r\nvboxservice\r\nwin32_remote\r\nwin64_remotex64\r\nwindbg\r\nwindump\r\nwinhex64\r\nwinhex\r\nwinobj\r\nwireshark\r\nx32dbg\r\nx64dbg\r\nxwforensics64\r\nxwforensics\r\nredcloak\r\navgsvc\r\navgui\r\navgsvca\r\navgidsagent\r\navgsvcx\r\navgwdsvcx\r\navgadminclientservice\r\nafwserv\r\navastui\r\navastsvc\r\naswidsagent\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 6 of 16\n\naswidsagenta\r\naswengsrv\r\navastavwrapper\r\nbccavsvc\r\npsanhost\r\npsuaservice\r\npsuamain\r\navp\r\navpui\r\nksde\r\nksdeui\r\ntanium\r\ntaniumclient\r\ntaniumdetectengine\r\ntaniumendpointindex\r\ntaniumtracecli\r\ntaniumtracewebsocketclient64\r\nThe second check is a list of 8 services matched by process names. The backdoor searches for the services and keeps track\r\nof the status of the services. Additionally, it changes the security descriptor of the service registry key and the start\r\nparameter. The service is never stopped by the backdoor and it looks like it simply waits until the machine restarts for the\r\nservice to change state. The state of the services is recorded and stored in the DLL config file using the parameter\r\nRetryWatcherPostpone\r\nThe list of services is the following:\r\nmsmpeng\r\nmssense\r\ncavp\r\ncb\r\ncsfalconservice\r\ncsfalconcontainer\r\nxagt\r\nxagtnotif\r\nekrn\r\neguiproxy\r\negui\r\nfsgk32st\r\nfswebuid\r\nfsgk32\r\nfsma32\r\nfssm32\r\nfnrb32\r\nfsaua\r\nfsorsp\r\nfsav32\r\nThe backdoor avoids tampering with the start parameter of the WinDefend service and only changes the service key\r\nsecurity descriptor.\r\nThe third check is performed to detect 17 specific device drivers. This check behaves the same way as the check for\r\nprocesses and will make sure that the backdoor aborts if any of the following drivers are detected.\r\ncybkerneltracker.sys\r\natrsdfw.sys\r\neaw.sys\r\nrvsavd.sys\r\ndgdmk.sys\r\nsentinelmonitor.sys\r\nhexisfsmonitor.sys\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 7 of 16\n\ngroundling32.sys\r\ngroundling64.sys\r\nsafe-agent.sys\r\ncrexecprev.sys\r\npsepfilter.sys\r\ncve.sys\r\nbrfilter.sys\r\nbrcow_x_x_x_x.sys\r\nlragentmf.sys\r\nlibwamf.sys\r\nBased on this analysis, we can conclude that the detection of any of the specified processes or device drivers will always\r\nalter the execution path of the backdoor and discontinue the execution. While the detection of the listed services will only\r\nalter the execution path if a change in the status was detected.\r\nNote that for services running as protected services, changing the service registry start parameter is not possible while the\r\nservice is running. This applies to services related to any antimalware with ELAM capabilities like the Windows Defender.\r\nThe Backdoor does not try to avoid the listed antivirus, antimalware, and EDR service. For unknown reasons, it tries to keep\r\ntrack of the status of these services.\r\nImpact of the Attack\r\nThe target organizations, the threat actor sophistication, and the amount of time between the initial breach and the discovery\r\nstrongly indicates an impact of gigantic proportions.\r\nIt is highly likely that a massive amount of highly confidential information belonging to government organizations, medical\r\ninstitutions, cybersecurity, the financial industry, etc. has been leaked. It is also highly likely that software and systems have\r\nbeen compromised and that the modus operandi of the SolarWinds breach can be repeated in future campaigns.\r\nMore information will be disclosed during the upcoming months but the full extent of this breach will most likely never be\r\ncommunicated to the public, and instead will be restricted to trusted parts of the intelligence community.\r\nResults of the Analysis\r\nDecoded Internal Name\r\nPossible Organization\r\n(may be inaccurate)*\r\nObserved\r\nMessage\r\nFirst Seen\r\nf.gnam 2nd stage 2020-04-04\r\ncorp.stratusnet Stratus Networks 2nd stage 2020-04-17\r\npageaz.gov City of Page 2nd stage 2020-04-19\r\ntx.org 2nd stage 2020-04-19\r\nnewdirections.kc 2nd stage 2020-04-21\r\nchristieclinic.com Christie Clinic Telehealth 2nd stage 2020-04-22\r\nosb.local 2nd stage 2020-04-28\r\nMOC.local 2nd stage 2020-04-30\r\nehtuh- 2nd stage 2020-05-01\r\nresprod.com Res Group (Renewable energy company) 2nd stage 2020-05-06\r\nbarrie.ca City of Barrie 2nd stage 2020-05-13\r\nte.nz TE Connectivity (Sensor manufacturer) 2nd stage 2020-05-13\r\nfisherbartoninc.com The Fisher Barton Group (Blade Manufacturer) 2nd stage 2020-05-15\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 8 of 16\n\nsdch.local South Davis Community Hospital 2nd stage 2020-05-18\r\ninternal.jtl.c 2nd stage 2020-05-19\r\nmnh.rg-law.ac.il College of Law and Business, Israel 2nd stage 2020-05-26\r\nRPM.loca 2nd stage 2020-05-28\r\nCIRCU 2nd stage 2020-05-30\r\nmagnoliaisd.loc Magnolia Independent School District 2nd stage 2020-06-01\r\nfidelitycomm.lo Fidelity Communications (ISP) 2nd stage 2020-06-02\r\nfidelitycomm.local 2nd stage 2020-06-02\r\ncorp.stingraydi Stingray (Media and entertainment) 2nd stage 2020-06-03\r\nkeyano.local Keyano College 2nd stage 2020-06-03\r\nfriendshipstatebank.com 2nd stage 2020-06-06\r\nghsmain1.ggh.g 2nd stage 2020-06-09\r\nieb.go.id 2nd stage 2020-06-12\r\nnswhealth.net NSW Health 2nd stage 2020-06-12\r\ncity.kingston.on.ca City of Kingston, Ontario, Canada 2nd stage 2020-06-15\r\nservitia.intern 2nd stage 2020-06-16\r\nCONSOLID 2nd stage 2020-06-17\r\ncorp.ptci.com Pioneer Telephone Scholarship Recipients 2nd stage 2020-06-19\r\nironform.com Ironform (metal fabrication) 2nd stage 2020-06-19\r\ndigitalsense.co Digital Sense (Cloud Services) 2nd stage 2020-06-24\r\nggsg-us.cisco Cisco GGSG 2nd stage 2020-06-24\r\nCentralY 2nd stage 2020-06-24\r\nsignaturebank.l Signature Bank 2nd stage 2020-06-25\r\nsignaturebank.local 2nd stage 2020-06-25\r\nAerial.l 2nd stage 2020-06-26\r\nmountsinai.hosp Mount Sinai Hospital 2nd stage 2020-07-02\r\npqcorp.com PQ Corporation 2nd stage 2020-07-02\r\nmountsinai.hospital Mount Sinai Hospital, New York 2nd stage 2020-07-02\r\nbanccentral.com BancCentral Financial Services Corp. 2nd stage 2020-07-03\r\nfhc.local 2nd stage 2020-07-06\r\nisi 2nd stage 2020-07-06\r\ngxw 2nd stage 2020-07-07\r\nkcpl.com Kansas City Power and Light Company 2nd stage 2020-07-07\r\nlufkintexas.net Lufkin (City in Texas) 2nd stage 2020-07-07\r\nsm-group.local SM Group (Distribution) 2nd stage 2020-07-07\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 9 of 16\n\ncys.local CYS Group (Marketing analytics) 2nd stage 2020-07-10\r\nescap.org 2nd stage 2020-07-10\r\nftsillapachecasi 2nd stage 2020-07-10\r\noslerhc.org William Osler Health System 2nd stage 2020-07-11\r\nwrbaustralia.ad W. R. Berkley Insurance Australia 2nd stage 2020-07-11\r\ndufferincounty.on.ca Dufferin County, Ontario, Canada 2nd stage 2020-07-17\r\nfmtn.ad City of Farmington 2nd stage 2020-07-21\r\nhtwanmgmt.local 2nd stage 2020-07-22\r\npcsco.com Professional Computer Systems 2nd stage 2020-07-23\r\nCOTESTDE 2nd stage 2020-07-25\r\ncamcity.local Adult Webcam 2nd stage 2020-07-28\r\nusd373.org Newton Public Schools 2nd stage 2020-08-01\r\nAmeri 2nd stage 2020-08-02\r\nsfsi.stearnsban Stearns Bank 2nd stage 2020-08-02\r\nville.terrebonn Ville de Terrebonne 2nd stage 2020-08-02\r\nAmerisaf 2nd stage 2020-08-02\r\nchc.dom 2nd stage 2020-08-04\r\nFWO.IT 2nd stage 2020-08-05\r\nazlcyy 2nd stage 2020-08-07\r\nitps.uk.net ITPS (IT Services) 2nd stage 2020-08-11\r\nbhq.lan 2nd stage 2020-08-18\r\nprod.hamilton. Hamilton Company 2nd stage 2020-08-19\r\nBCC.loca 2nd stage 2020-08-22\r\naiwo 2nd stage 2020-08-24\r\ncosgroves.local Cosgroves (Building services consulting) 2nd stage 2020-08-25\r\nmoncton.loc City of Moncton 2nd stage 2020-08-25\r\nad001.mtk.lo Mediatek 2nd stage 2020-08-26\r\ncds.capilanou. Capilano University 2nd stage 2020-08-27\r\ncsnt.princegeor City of Prince George 2nd stage 2020-09-18\r\nint.ncahs.net 2nd stage 2020-09-23\r\nCIMBM 2nd stage 2020-09-25\r\nnetdecisions.lo Netdecisions (IT services) 2nd stage 2020-10-04\r\n.sutmf Wait 2020-06-25\r\nmixonhill.com Mixon Hill (intelligent transportation systems) Terminate 2020-04-29\r\nyorkton.cofy Community Options for Families \u0026 Youth Terminate 2020-05-08\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 10 of 16\n\nies.com IES Communications Terminate 2020-06-11\r\nspsd.sk.ca Saskatoon Public Schools Terminate 2020-06-12\r\ncow.local Terminate 2020-06-13\r\nKS.LOCAL Terminate 2020-07-10\r\nbcofsa.com.ar Banco de Formosa Terminate 2020-07-13\r\nansc.gob.pe GOB (Digital Platform of the Peruvian State) Terminate 2020-07-25\r\nbop.com.pk The Bank of Punjab Terminate 2020-07-31\r\nairquality.org Terminate 2020-08-09\r\ndokkenengineerin Terminate 2020-08-19\r\n3if.2l Terminate 2020-08-20\r\nrbe.sk.ca Regina Public Schools Terminate 2020-08-20\r\nni.corp.natins Terminate 2020-10-24\r\nphabahamas.org Public Hospitals Authority, Caribbean Terminate 2020-11-05\r\ninsead.org INSEAD Business School Terminate 2020-11-07\r\ndeniz.denizbank DenizBank Terminate 2020-11-14\r\nbi.corp Terminate 2020-12-14\r\nccscurriculum.c Unknown 2020-04-18\r\nbisco.int Bisco International (Adhesives and tapes) Unknown 2020-04-30\r\natg.local Unknown 2020-05-11\r\ninternal.hws.o Unknown 2020-05-23\r\ngrupobazar.loca Unknown 2020-06-07\r\nxnet.kz X NET (IT provider in Kazakhstan) Unknown 2020-06-09\r\nush.com Unknown 2020-06-15\r\npubliser.it Unknown 2020-07-05\r\nus.deloitte.co Deloitte Unknown 2020-07-08\r\nn2k Unknown 2020-07-12\r\ne-idsolutions. IDSolutions (video conferencing) Unknown 2020-07-16\r\nxijtt- Unknown 2020-07-21\r\nETC1.local Unknown 2020-08-01\r\nninewellshospita Unknown 2020-08-21\r\nABLE.local N/A N/A\r\nacmedctr.ad N/A N/A\r\nad.azarthritis.com Arizona Arthritis \u0026 Rheumatology Associates N/A N/A\r\nad.library.ucla.edu N/A N/A\r\nad.optimizely. Optimizely, Software Company N/A N/A\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 11 of 16\n\nadmin.callidusc N/A N/A\r\naerioncorp.com Aerion Corporation N/A N/A\r\nagloan.ads N/A N/A\r\nah.org N/A N/A\r\nAHCCC N/A N/A\r\nallegronet.co. N/A N/A\r\nalm.brand.dk N/A N/A\r\namalfi.local N/A N/A\r\namericas.phoeni N/A N/A\r\namr.corp.intel N/A N/A\r\napu.mn N/A N/A\r\nARYZT N/A N/A\r\nb9f9hq N/A N/A\r\nBE.AJ N/A N/A\r\nbelkin.com Belkin International N/A N/A\r\nbk.local N/A N/A\r\nbmrn.com N/A N/A\r\nbok.com N/A N/A\r\nBrokenArrow.Local N/A N/A\r\nbtb.az N/A N/A\r\nc4e-internal.c N/A N/A\r\ncalsb.org N/A N/A\r\ncasino.prv N/A N/A\r\ncda.corp N/A N/A\r\ncentral.pima.gov Pima County, Arizona N/A N/A\r\ncfsi.local N/A N/A\r\nch.local N/A N/A\r\nci.dublin.ca.us Dublin, California N/A N/A\r\ncisco.com Cisco N/A N/A\r\ncityofsacramento City of Sacramento N/A N/A\r\nclinicasierravista.org Clinica Sierra Vista N/A N/A\r\ncorp.dvd.com N/A N/A\r\ncorp.sana.com Sana Biotechnology N/A N/A\r\nCOWI.Net N/A N/A\r\ncoxnet.cox.com N/A N/A\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 12 of 16\n\nCRIHB.NET N/A N/A\r\ncs.haystax.local N/A N/A\r\ncsa.local N/A N/A\r\ncsci-va.com N/A N/A\r\ncsqsxh N/A N/A\r\nDCCAT.DK N/A N/A\r\ndeltads.ent N/A N/A\r\ndetmir-group.ru N/A N/A\r\ndhhs-ad. N/A N/A\r\ndigitalreachinc.com N/A N/A\r\ndmv.state.nv.us N/A N/A\r\ndotcomm.org N/A N/A\r\nebe.co.roanoke.va.us N/A N/A\r\necobank.group Ecobank N/A N/A\r\necocorp.local N/A N/A\r\nepl.com N/A N/A\r\nfa.lcl N/A N/A\r\nfortsmithlibrary.org N/A N/A\r\nfremont.lamrc.net N/A N/A\r\nFSAR.LOCAL N/A N/A\r\nftfcu.corp N/A N/A\r\nFVF.locam N/A N/A\r\ngksm.local N/A N/A\r\ngloucesterva.net N/A N/A\r\nglu.com N/A N/A\r\ngnb.local N/A N/A\r\ngncu.local N/A N/A\r\ngsf.cc N/A N/A\r\ngyldendal.local N/A N/A\r\nhelixwater.org Helix Water District N/A N/A\r\nhgvc.com N/A N/A\r\nHQ.RE-wwgi2xnl N/A N/A\r\nia.com N/A N/A\r\ninf.dc.net N/A N/A\r\ningo.kg N/A N/A\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 13 of 16\n\ninnout.corp N/A N/A\r\nint.lukoil-international.uz Lukoil N/A N/A\r\nintensive.int N/A N/A\r\nits.iastate.ed N/A N/A\r\njarvis.lab N/A N/A\r\nLABELMARKET.ES N/A N/A\r\nlasers.state.la.us N/A N/A\r\nmilledgeville.local milledgeville, Georgia N/A N/A\r\nmutualofomahabank.com Mutual of Omaha Bank N/A N/A\r\nnacr.com N/A N/A\r\nncpa.loc N/A N/A\r\nneophotonics.co NeoPhotonics Corporation N/A N/A\r\nnet.vestfor.dk N/A N/A\r\nnih.if N/A N/A\r\nnvidia.com Nvidia N/A N/A\r\non-pot N/A N/A\r\norient-express.com Orient Express N/A N/A\r\npaloverde.local N/A N/A\r\nrai.com N/A N/A\r\nrccf.ru N/A N/A\r\nrepsrv.com N/A N/A\r\nripta.com N/A N/A\r\nroymerlin.com N/A N/A\r\nrs.local N/A N/A\r\nrst.atlantis-pak.ru N/A N/A\r\nSamuelMerritt.edu Samuel Merritt University N/A N/A\r\nsbywx3 N/A N/A\r\nsc.pima.gov N/A N/A\r\nscif.com N/A N/A\r\nSCMRI.local N/A N/A\r\nscroot.com N/A N/A\r\nseattle.interna N/A N/A\r\nsecurview.local N/A N/A\r\nSFBALLET N/A N/A\r\nSF-Libra N/A N/A\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 14 of 16\n\nsiskiyous.edu College of the Siskiyous, California N/A N/A\r\nsjhsagov.org N/A N/A\r\nSmart N/A N/A\r\nsmes.org N/A N/A\r\nsos-ad.state.nv.us N/A N/A\r\nsro.vestfor.dk N/A N/A\r\nstaff.technion.ac.il N/A N/A\r\nsuperior.local N/A N/A\r\nswd.local N/A N/A\r\ntaylorfarms.com N/A N/A\r\nthajxq N/A N/A\r\nthoughtspot.int N/A N/A\r\ntr.technion.ac.il N/A N/A\r\ntv2.local N/A N/A\r\nuis.kent.edu N/A N/A\r\nuncity.dk N/A N/A\r\nuont.com N/A N/A\r\nvantagedatacenters.local Vantage Data Centers N/A N/A\r\nviam-invenient N/A N/A\r\nvms.ad.varian.com N/A N/A\r\nvoceracommunications.com Vocera Communications N/A N/A\r\nvsp.com N/A N/A\r\nWASHOE.W N/A N/A\r\nweioffice.com N/A N/A\r\nwfhf1.hewlett. N/A N/A\r\nwoodruff-sawyer N/A N/A\r\nxdxinc.net N/A N/A\r\ny9k.in N/A N/A\r\nzeb.i8 N/A N/A\r\nzippertubing.com Zippertubing N/A N/A\r\n* The organization names are assumptions based on the decoded internal names and may be inaccurate.\r\n[1] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\n[2] https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 15 of 16\n\n[3] https://www.solarwinds.com/securityadvisory\r\n[4] https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug\r\n[5] https://github.com/RedDrip7/SunBurst_DGA_Decode\r\n[6] https://github.com/bambenek/research/tree/main/sunburst\r\n[7] https://www.cls-group.com/partnerships/traiana-inc/\r\n[8] http://www.traiana.com\r\n[9] https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv\r\n[10] https://github.com/Truesec/sunburst-decoder\r\n[11] https://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\n[12]\r\nhttps://gist.githubusercontent.com/IISResetMe/d61a2263c617959eda2682e94f8df8b1/raw/ebc9e675c961c2c3f5b8dbb3c2ee1c83f6181731/de\r\n[13]\r\nhttps://gist.githubusercontent.com/IISResetMe/d61a2263c617959eda2682e94f8df8b1/raw/ebc9e675c961c2c3f5b8dbb3c2ee1c83f6181731/ma\r\ndetectors.txt\r\n[14]\r\nhttps://gist.githubusercontent.com/IISResetMe/d61a2263c617959eda2682e94f8df8b1/raw/ebc9e675c961c2c3f5b8dbb3c2ee1c83f6181731/de\r\ndrivers.txt\r\n[15] https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html\r\nFor additional information and discussions on this topic, Truesec has recently published the following video where we\r\ndiscuss nation-state actors in relation to the SolarWinds SUNBURST hack.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nTruesec Tech Talk – SolarWinds SUNBURST breach and how nation-state actors operate\r\nI was interviewed by Andy Syrewicze at Altaro on the SolarWinds SUNBURST attack and what IT service providers can\r\nand should do. You can watch the video interview below and you can also read Andy’s post here.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nVideo Interview – Solarwinds Hack Fallout\r\nSource: https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nhttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/" ], "report_names": [ "the-solarwinds-orion-sunburst-supply-chain-attack" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434668, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c186c76caaa69474c82aea2ae221c203501e4114.pdf", "text": "https://archive.orkl.eu/c186c76caaa69474c82aea2ae221c203501e4114.txt", "img": "https://archive.orkl.eu/c186c76caaa69474c82aea2ae221c203501e4114.jpg" } }