{
	"id": "b47188a2-a0e9-4139-a084-756c80558a83",
	"created_at": "2026-04-06T00:16:49.888947Z",
	"updated_at": "2026-04-10T03:37:58.953721Z",
	"deleted_at": null,
	"sha1_hash": "f443d848fa3fca2644dec4cc7173ba7346a56c04",
	"title": "Behind the Scenes of the SUNBURST Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3101989,
	"plain_text": "Behind the Scenes of the SUNBURST Attack\r\nBy Lior Sonntag, Dror Alon\r\nPublished: 2021-02-19 · Archived: 2026-04-05 20:44:06 UTC\r\nLior Sonntag\r\nLior is a Security Researcher at Check Point Software Technologies. He is a security enthusiast who loves to break\r\nstuff and put it back together. He's passionate about various InfoSec topics such as Cloud Security, Offensive\r\nSecurity, Vulnerability Research and Reverse Engineering.\r\nThe biggest cyberattack in recent times came in the form of what seems like a nation-state-sponsored supply chain\r\nattack, in December when the SUNBURST malware was installed on SolarWinds’ Orion product. This made\r\nheadlines worldwide for good reason — post-compromise activity included data theft through lateral movement,\r\nwhich is when the attacker moves through a network searching for targeted key data and assets. This attack was\r\nthe work of a highly-skilled actor and the operation was conducted with significant operational security.\r\nThis attack consisted of lateral movement of the threat actor from the on-premises network to the cloud, and it was\r\ndone in two phases:\r\n1. Phase One: The On-Prem Golden SAML Attack. Here the threat actors gained administrative access to\r\nthe organization’s Active Directory Federation Services (ADFS) server. This allowed them to forge\r\nSecurity Assertion Markup Language (SAML) tokens and create illegitimate registrations of SAML Trust\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 1 of 10\n\nRelationships. By impersonating a user with valid administrative credentials, the threat actors could change\r\nthe configuration of the SAML Service Provider (in this case, Azure AD). From there, they successfully\r\ngained administrative access to the Azure AD.\r\n2. Phase Two: Malicious activity in the Cloud. The threat actors then used the Azure Active Directory\r\nadministrative credentials for malicious activities. This included (but was not limited to): enumeration of\r\nexisting applications and service principals, injection of credentials into them, impersonation and execution\r\nof actions on behalf of them, and the exfiltration of sensitive data like users and mails.\r\nDror Alon\r\nDror is Security Research Team Leader at Check Point Software Technologies. He's a proactive researcher in the\r\ncyber domain; investigating cyber events, and identifying and resolving the security issues faced by organizations\r\nworldwide.\r\nIn this analysis, we will focus on the second attack phase, in the cloud, and present key tactics and techniques\r\nused by the nation-state actors in the malicious campaign. By using the MITRE ATT\u0026CK framework, we will\r\nprovide the most likely technical attack flow of the nation-state actor’s actions.\r\nReviewing Microsoft’s article, the chain of events that occurred through this attack were:\r\n1. Initial Access (On-Prem): Forged SAML tokens and illegitimate registrations of SAML Trust\r\nRelationships; impersonating a user with administrative credentials (in this case, Azure AD).\r\n2. Discovery: The threat actor enumerates existing applications/service principals (preferably with high\r\ntraffic patterns).\r\n3. Credential Access: The threat actor adds credentials to an existing application or service principal.\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 2 of 10\n\n4. Privilege Escalation: The threat actor elevates the privileges of the application/service-principal, to allow\r\naccess to MS Graph APIs Application permissions.\r\n5. Defense Evasion and Lateral Movement: The threat actor acquires OAuth access tokens of applications,\r\nallowing them to impersonate the applications and obfuscate their activity.\r\n6. Exfiltration: The threat actor calls MS Graph APIs to exfiltrate sensitive data such as users’ data and\r\nemails.\r\n Zoom\r\nHere we will focus on the attack flow in the Cloud Environment after the initial authentication(i.e. steps 2-6).\r\nBut first, let’s elaborate on the AzureAD Authentication and Authorization mechanisms.\r\nTRENDING STORIES\r\n1. Gitleaks creator returns with Betterleaks, an open source secrets scanner for the agentic era\r\n2. The TeamPCP attacks are a warning: Your CI/CD pipeline is the new front line\r\n3. How TeamPCP turned Aqua Security's own Trivy scanner into a weapon against millions of developers\r\n4. Cursor built a fleet of security agents to solve a familiar frustration\r\n5. The 2 failures with AI coding that are creating security bottlenecks\r\nIn short, Authentication is proving you are who you say you are. This is done by the Identity Provider (in this case\r\nAzure AD). Authorization is the act of granting an authenticated party permission to do something. This is done by\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 3 of 10\n\nthe resource the identity is trying to query, utilizing the OAuth 2.0 protocol.\r\nDiscovery\r\nFirst, the threat actor gains an initial foothold into the Cloud Environment by compromising privileged cloud users\r\nwith administrative access to the Azure AD. They then add credentials to an existing application or service\r\nprincipal. However, in order to do that, the threat actor needs to firstly list all the existing applications:\r\n Zoom\r\nThe threat actor prefers applications with high traffic patterns (e.g. mail archival applications) which can be used\r\nto obfuscate their activity. So, they decide to choose the “MailApp” (an imaginary application name) and extracts\r\nits ObjectId and ApplicationId:\r\n Zoom\r\nIn addition, the threat actor extracts the account’s tenantId:\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 4 of 10\n\nZoom\r\nCredential Access\r\nNext, the threat actor creates new credentials and adds them to the application:\r\n Zoom\r\nAlternatively, the threat actor can create new credentials and add them to an existing service principal associated\r\nwith the MailApp application:\r\n Zoom\r\nAfter this phase, the threat actor has the credentials of the application — which can be used to authenticate to\r\nAzureAD on behalf of the application.\r\nApplication/Service-Principal Privilege Escalation\r\nIn this step, the threat actor lists all the available permissions related to Microsoft Graph APIs:\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 5 of 10\n\nZoom\r\nThe threat actor decides to add the User.ReadWrite.All permission to the MailApp application:\r\n Zoom\r\nAfterward, the threat actor lists all the available permissions related to Mails and associated to the Microsoft\r\nGraph API:\r\n Zoom\r\nThey decide to also add the Mail.ReadWrite permission to the MailApp application:\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 6 of 10\n\nZoom\r\nThe error in red indicates that an admin consent must be launched to approve this permission.\r\nThe admin consent workflow gives admins a secure way to grant access to applications that require admin\r\napproval. When a user tries to access an application but is unable to provide consent, they can send a request for\r\nadmin approval. The request is sent to admins who have been designated as reviewers.\r\nDue to the fact that the actor already has administrative permissions, they can launch an admin consent on their\r\nown:\r\n Zoom\r\nThe admin consent was successful and the Microsoft Graph APIs permissions were successfully added to the\r\nMailApp application!\r\nDefense Evasion and Lateral Movement\r\nThen, the actor acquired an OAuth access token for the application, by initiating an HTTP GET request which\r\nincluded the tenantId, objectId, appId and the secret (credentials) obtained from before:\r\n Zoom\r\nThis access token enabled the actor to move laterally, impersonate the MailApp application, and execute actions\r\non behalf of it.\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 7 of 10\n\nExfiltration\r\nFinally, the threat actor calls APIs with permissions assigned to the MailApp application.\r\nThe threat actor initiated an HTTP GET request, which included the access token to exfiltrate all users in the\r\ntenant and all emails related to a specific user.\r\nZoom\r\nUsers exfiltration\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 8 of 10\n\nZoom\r\nEmails exfiltration\r\nZoom\r\nEmails’ subjects exfiltration\r\nIn conclusion, the SUNBURST attack was by far one of the most sophisticated attacks of our time — extending\r\nbeyond on-prem and into the cloud. The threat actor executed advanced techniques to cover their tracks; using\r\ndiscovery, credential access, privilege escalation, lateral movement, defense evasion, and exfiltration all in one\r\nattack flow.\r\nSince the attack, the number of victims compromised by SUNBURST continues to rise, and could happen again\r\non any of the cloud providers. Many security vendors are offering free trials to help organizations get a handle on\r\nthe security of their environment. While this is a step in the right direction, the question is, will you know what to\r\nlook for and will you be prepared?\r\nFeature image via Pixabay.\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 9 of 10\n\nSource: https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nhttps://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/"
	],
	"report_names": [
		"behind-the-scenes-of-the-sunburst-attack"
	],
	"threat_actors": [
		{
			"id": "63883709-27b5-4b65-9aac-c782780fbb28",
			"created_at": "2026-04-10T02:00:03.996704Z",
			"updated_at": "2026-04-10T02:00:03.996704Z",
			"deleted_at": null,
			"main_name": "TeamPCP",
			"aliases": [],
			"source_name": "MISPGALAXY:TeamPCP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434609,
	"ts_updated_at": 1775792278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f443d848fa3fca2644dec4cc7173ba7346a56c04.pdf",
		"text": "https://archive.orkl.eu/f443d848fa3fca2644dec4cc7173ba7346a56c04.txt",
		"img": "https://archive.orkl.eu/f443d848fa3fca2644dec4cc7173ba7346a56c04.jpg"
	}
}