{ "id": "6bc46845-2e5e-4462-b553-897b9ea2aa77", "created_at": "2026-04-06T00:18:04.921541Z", "updated_at": "2026-04-10T03:21:36.303819Z", "deleted_at": null, "sha1_hash": "e198003020f9394c52b200ea47118accfde0dc9f", "title": "SunBurst industrial victims | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72282, "plain_text": "SunBurst industrial victims | Kaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2021-01-26 · Archived: 2026-04-05 22:52:39 UTC\r\nOn December 13th, 2020, FireEye, Microsoft, and SolarWinds announced the discovery of a large, sophisticated\r\nsupply chain attack leveraging Orion IT, an infrastructure monitoring and management platform by SolarWinds.\r\nMany publications have followed up on this major incident and the research is still ongoing. While technical\r\ndetails of the SunBurst backdoor embedded into SolarWinds have already been described and second-stage tools\r\nare being discovered, the scale of the attack and the interest of the actor behind the attack are still being\r\ninvestigated. It has been officially confirmed that about 18,000 users may have installed backdoored versions of\r\nSolarWinds. Still, there is limited information on the number of organizations where the attack has evolved and\r\nsecond-stage tools may have been deployed, though there are some speculations on the actor’s interest based on an\r\nanalysis of the historical C2 DNS response (see here and here).\r\nWe were specifically interested in analyzing how many industrial organizations used backdoored SolarWinds\r\nversions and fell victim to the attack. The results of the analysis are below.\r\nFirst of all, we analyzed all available decoded internal domain names obtained from DNS names generated by the\r\nSunBurst DomainName Generation Algorithm using some publicly available lists and third-party lists. The final\r\nlist of readable and attributable domains consisted of nearly 2000 domain names and information on the industries\r\nin which possibly compromised industrial organizations operate is provided below:\r\nThe overall percentage of industrial organizations among all organizations on the list is estimated at 32.4%.\r\nhttps://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/\r\nPage 1 of 3\n\nWe also analysed user information from our telemetry where the backdoored SolarWinds applications were\r\ninstalled and distinguished over 20 organizations in the industrial sector:\r\nmanufacturing 8\r\ntransportation \u0026 logistics 6\r\nutilities 4\r\nconstruction 4\r\nmining 3\r\nenergy 2\r\nThe geographical distribution of the industrial organizations is broad and includes the following countries and\r\nterritories: Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines,\r\nPortugal, Russia, Saudi Arabia, Taiwan, Uganda, and the USA. At the same time, the geography of all victims\r\ncovers almost the entire world, from North America to APAC.\r\nThe SolarWinds software is highly integrated into many systems around the globe in different industries. We\r\ncurrently have no evidence that any of the industrial organizations in our telemetry had an escalation from the\r\nattackers. Truesec provided a list of possible second-stage victims, which included several industrial organizations\r\nheadquartered in different countries, based on responses received from a server used by the threat actor. Thus, we\r\nshouldn’t rule out the possibility of wider activity in some of the industrial networks if it is in line with the actor’s\r\ninterests.\r\nHere are our recommendations for possible victims of the SolarWinds compromise:\r\n1. Check whether backdoored SolarWinds versions are installed. Known affected versions include software\r\nbuilds 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF1.\r\n2. Check for known indicators of compromise (IOCs). CISA has published Alert AA20-35A with an extensive\r\nlist\r\n3. If you have detected a compromised SolarWinds installation or related IOCs, initiate a security incident\r\ninvestigation and launch an incident response procedure, considering all possible attack vectors:\r\na. Isolate assets that are known to be compromised, while keeping the system operable\r\nb. Prevent IOCs that could be useful for the investigation from being deleted\r\nc. Check all network logs for suspicious network activity\r\nd. Check system logs and journals for illegitimate user account authentication\r\ne. Locate suspicious process activity, investigate memory dumps and associated files\r\nf. Check historical command-line data associated with suspicious activity\r\n4. If you consider yourself a victim of the SolarWinds compromise, you can reach us at ics-cert@kaspersky.com for further assistance or consultancy.\r\nUpdate 28.01.2021\r\nhttps://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/\r\nPage 2 of 3\n\nNetresec has pointed out the fact that the TrueSec list of possible second-stage victims is incorrect due to their\r\nmethodology and provided its own list  based on updated information on the C2 logic of picking 2nd stage victims.\r\nThe Netresec list also contains several industrial-related victims.\r\nSource: https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/\r\nhttps://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/" ], "report_names": [ "sunburst-industrial-victims" ], "threat_actors": [], "ts_created_at": 1775434684, "ts_updated_at": 1775791296, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e198003020f9394c52b200ea47118accfde0dc9f.pdf", "text": "https://archive.orkl.eu/e198003020f9394c52b200ea47118accfde0dc9f.txt", "img": "https://archive.orkl.eu/e198003020f9394c52b200ea47118accfde0dc9f.jpg" } }