{
	"id": "bd0ead0b-ada9-45bf-9f4e-f71b1c7cfc5e",
	"created_at": "2026-04-06T00:18:29.662465Z",
	"updated_at": "2026-04-10T03:22:13.694882Z",
	"deleted_at": null,
	"sha1_hash": "f8ddeebf2c4e5937004b12a960c38d10b693508f",
	"title": "What We Have Learned So Far about the “Sunburst”/SolarWinds Hack | FortiGuard labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 279248,
	"plain_text": "What We Have Learned So Far about the “Sunburst”/SolarWinds\r\nHack | FortiGuard labs\r\nBy Udi Yavo\r\nPublished: 2020-12-21 · Archived: 2026-04-06 00:04:05 UTC\r\nIntroduction\r\nRecently, it was reported that a nation-state threat-actor managed to infiltrate a large number of organizations—\r\nincluding multiple US government agencies. They did this by distributing backdoor software, dubbed SunBurst,\r\nby compromising SolarWind’s Orion IT monitoring and management software update system. Based on\r\nSolarWind’s data, 33,000 organizations use Orion’s software, and 18,000 were directly impacted by this malicious\r\nupdate. As more and more details have become available, it has become clear that this is one of the most evasive\r\nand significant cyberattacks to date.\r\nOver the past week, the FortiGuard Labs research teams have worked tirelessly to uncover more details on the\r\nattack to ensure our customers are protected, details of which can be found in our Threat Signal Blog.  In this\r\nblog, we share more detail on what we have learned, the protections currently provided by products in our\r\nportfolio, as well as the proactive steps we have taken leveraging our FortiEDR platform to ensure the security of\r\nour customers. \r\nSunBurst Campaign Overview\r\nTo help readers better understand this campaign, I will describe at a high-level the steps taken by the SunBurst\r\nmalware and the threat actor after the initial infiltration. \r\nAfter a successful infiltration of the supply-chain, the SunBurst backdoor— a file named\r\nSolarWinds.Orion.Core.BusinessLayer.dll—was inserted into the software distribution system and installed as part\r\nof an update package from the vendor. Once downloaded, it then lies dormant for 12 to 14 days before taking any\r\naction. Once the waiting period is over, the Backdoor takes steps to ensure it is running in one of the environments\r\ntargeted by the attacker, as opposed to a lower value organization, or in a sandbox or other malware analysis\r\nenvironment. The attacker appears to have wanted to stay as far below the industry’s radar as possible while\r\ncarrying out its specific mission. \r\nHere is a high-level overview of the steps it takes to do so:\r\nMachine domain name validation. It checks the domain name of the compromised machine to ensure:\r\nIt doesn’t contain certain strings.\r\nIt is not a SolarWinds domain.\r\nIt doesn’t contain the string ‘test’.\r\nIt validates that no analysis tools, such as WireShark, are running.\r\nhttps://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack\r\nPage 1 of 5\n\nIt also checks to ensure that unwanted security software is not running.\r\nOnce all of the validations are completed, it calls home to the threat actor and sends information to identify the\r\nbreached organization. Note: Since most of the organizations breached by this malware were NOT a target of the\r\nthreat actor, this is where the attack appears to have ended for many organizations. \r\nThe C2 domain name is composed from a prefix that is generated based on data from the machine. An example\r\ndomain can be seen in Figure 1:\r\nFigure 1: Example of SunBurst-generated domain\r\nAs a next step, the threat actor leverages a memory-only payload called TEARDROP to deliver a CobaltStrike\r\nBEACON, among other payloads. CobaltStrike is a commercially available, full-featured penetration testing\r\ntoolkit that advertises itself as \"adversary simulation software.” However, it is also commonly used by attackers.\r\nTo date, FortiEDR has actively detected and blocked many attacks leveraging CobaltStrike in real-time, including\r\nthis one.\r\nProactive SunBurst Campaign Mitigations\r\nAs soon as the IOCs were disclosed, or otherwise uncovered though investigation, the FortiGuard Labs and other\r\nteams analyzed all of the data on “Sunburst” and then devised a proactive strategy to mitigate the attack as well as\r\nto help organizations understand its impact. \r\nAs mentioned, most organizations were not targeted, and therefore the existence of the malicious DLL file does\r\nnot necessarily mean that actual damage was done.\r\nSteps Fortinet is Taking to Ensure the Security of our Customers: \r\n1. All published and subsequent IOCs were immediately added to our Cloud intelligence and signatures databases\r\nto ensure detection of the malicious files by Fortinet’s security solutions, including FortiGate,\r\nFortiSIEM, FortiSandbox, FortiEDR, FortiAnalyzer, and FortiClient. As new IOCs are uncovered, they will also\r\nbe immediately added to our databases.\r\n2. In order to reconstruct the attack and gain more insights and indicators, FortiGuard Labs research and\r\nintelligence teams started to hunt for more indicators based on the initially disclosed data. As part of this effort, we\r\nhave discovered and analyzed a new variant of TEARDROP. In Figure 2, you can see this TEARDROP variant\r\nread the fake jpeg header and its main unpacking routine:\r\nhttps://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack\r\nPage 2 of 5\n\nFigure 2: TEARDROP under the microscope\r\n3. We also proactively scanned our FortiEDR Cloud data lake for indicators to determine if customers may have\r\nbeen breached. Customers that were potentially impacted are being contacted. \r\n4. Our MDR and FortiEDR research teams have also devised tools that can help organizations understand the\r\nscope of a breach in case they have been impacted by this supply-chain attack. These tools are being shared with\r\ncustomers upon request. As mentioned, most organizations were not targeted, and understanding the scope of the\r\nbreach is critical for determining follow-up steps.\r\nTEARDROP and CobaltStrike Detection\r\nIn addition to detection based on specific IOCs, analysis by our research teams has determined that the FortiEDR\r\nplatform is and was capable of protecting devices against CobaltStrike and TEARDROP—out-of-the-box and\r\nwithout any prior knowledge of the threat—using its memory code tracing technology. FortiEDR has proven\r\ncountless times that it is capable of blocking CobaltStrike in real-time during live incidents. An example of such a\r\ndetection can be seen in Figure 3:\r\nFigure 3: Real-World Detection of Cobalt-Strike by FortiEDR\r\nSummary and Recommendations\r\nhttps://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack\r\nPage 3 of 5\n\n1. Endpoint protection - Fortinet and SolarWinds Orion 2019.4 through 2020.2.1 HF1 customers \r\na. FortiClient, FortiEDR, and FortiGate all detect and block the execution of these malicious files. \r\nb. By design, any supported version of FortiEDR will detect and protect against the weaponized, post-execution\r\nconsequences of this attack out of the box. No change or upgrade to the platform is required. \r\ni. Make sure to set post-execution policies to blocking mode. This will allow you to block malicious behavior even\r\nif the system is already compromised through a trusted source, such as this supply chain attack. \r\nii. Apply contextual pre-canned policies that can enable proactive actions in case of malicious or inconclusive\r\nactivities. In this case, these actions would have removed the associated DLL file. \r\nc. If you subscribe to the MDR service or were not in protection mode at the time of the attack, please work with\r\nthe MDR team to assist you with proactive threat hunting. \r\n2. Endpoint protection - Non-Fortinet and SolarWinds Orion 2019.4 through 2020.2.1 HF1 customers\r\na. Run forensics to validate the existence of the known malicious files based on published IOCs (SHA-1 hashes):\r\nd130bd75645c2433f88ac03e73395fba172ef676\r\n76640508b1e7759e548771a5359eaed353bf1eec\r\n2f1a5a7411d015d01aaee4535835400191645023\r\n395da6d4f3c890295f7584132ea73d759bd9d094\r\n1acf3108bf1e376c8848fbb25dc87424f2c2a39c\r\ne257236206e99f5a5c62035c9c59c57206728b28\r\n6fdd82b7ca1c1f0ec67c05b36d14c9517065353b\r\nbcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387\r\n16505d0b929d80ad1680f993c02954cfd3772207\r\nd8938528d68aabe1e31df485eb3f75c8a925b5d9\r\nc8b7f28230ea8fbf441c64fdd3feeba88607069e\r\n2841391dfbffa02341333dd34f5298071730366a\r\n2546b0e82aecfe987c318c7ad1d00f9fa11cd305\r\ne2152737bed988c0939c900037890d1244d9a30e \r\nb. Threat hunt your memory for IOCs looking for TEARDROP or COBALT STRIKE. The relevant YARA\r\nsignatures are listed here.\r\nc. Hunt for suspicious dropped files based on the timeline of initial infections in your organization. One potential\r\nIOC is the existence of the following malicious DLL file:\r\nc:\\Windows\\SysWOW64\\netsetupsvc.dll file.\r\nd. If any of these IOCs are detected, consider all affected machines—along with all user accounts on these\r\nmachines—as compromised. Revoke all account credentials and isolate the devices for further investigation.\r\nBest Practices\r\nhttps://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack\r\nPage 4 of 5\n\nThis event reemphasizes the need for best practices when it comes to maintaining software and systems. Here are\r\nthree essential security best practices every organization should adopt:\r\nAll new updates and patches should be run through a sandbox or similar analysis tool before being\r\ndeployed to identify malware and supply-chain attacks. In this case, FortiSandbox would have identified\r\nthe offending DLL file as malicious and removed it before it could impact the network. \r\nAdvanced Endpoint Detection and Response technology is now an essential component of any security\r\nstrategy. Deploying FortiEDR on endpoints and servers would have prevented malware such as\r\nCobaltStrike and TEARDROP from executing. \r\nNetwork segmentation is another critical security strategy required to protect today’s advanced networks.\r\nDeploying a segmentation firewall as part of a Zero-Trust Network strategy, such as the FortiGate\r\nplatform, would prevent malware from spreading across the network.\r\nAdditional Help\r\nEnterprises seeking assistance in understanding their organizations exposure to this cyber campaign and/or who\r\nare leveraging the FortiEDR solution for prevention or detection of similar attacks can contact us (at no charge for\r\na limited time) through the FortiGuard Incident Response services webpage. \r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and\r\nServices portfolio.  \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training\r\nprogram, Security Academy program, and Veterans program.\r\nSource: https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack\r\nhttps://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack"
	],
	"report_names": [
		"what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8ddeebf2c4e5937004b12a960c38d10b693508f.pdf",
		"text": "https://archive.orkl.eu/f8ddeebf2c4e5937004b12a960c38d10b693508f.txt",
		"img": "https://archive.orkl.eu/f8ddeebf2c4e5937004b12a960c38d10b693508f.jpg"
	}
}