Sunspot malware discovery and an updated SolarWinds’ breach timeline
In December of 2020, organizations across the globe reeled in disbelief after the disclosure of the SolarWinds supply chain attack. The investigation into the origins, technical configuration and damage caused by the attack are still underway.
Contrary to prior thinking, recent research findings indicate that SolarWinds’ first cyber intrusion occurred in September of 2019. The activities executed that September were designed to facilitate the deployment of “Sunspot”, according to The Hacker News.
What is Sunspot?
Sunspot is the name of the malware that was used to insert the sunburst backdoor into the software builds of the SolarWinds Orion product. In a published blog announcement, SolarWinds states that the first deployment of the malware occurred between September and November of 2019.
The Sunspot malware intrusion: a technical breakdown
After the sunspot malware loaded onto the designated system, the malware (“taskhostsvc.exe”) approved debugging privileges for itself and worked to disrupt the Orion build workflow. The malware effectively did this by monitoring existing software processes on the server and replacing a source code file in the build directory with a harmful malicious clone.
This injected the Sunburst malware into the system while Orion remained in the development process. The hackers maintained the persistence of sunspot by scheduling a task that would occur in conjunction with when the host boots. The configuration of Sunspot indicates that the hackers took the time to ensure that the code was properly deployed and that it would remain undetected indefinitely.
Third malware connected to SolarWinds cyber intruders
The second malware identified in connection with the SolarWinds’ intrusion is called Sunburst (Solorigate) backdoor malware.
A third malware type, labeled Teardrop, has also been identified. The Teardrop malware is classified as a memory-only dropper and post-exploitation tool that can launch customized Cobalt Strike beacons.
A fourth malware identified is referred to as Supernova.
Image courtesy of Bleeping Computer.
Links between Sunburst and Kazuar
Cyber security researchers have identified a seeming connection between the Sunburst malware and Kazuar, a malware family connected to foreign espionage groups. However, despite the similarities between the software, experts note that the overlap may have been deliberately concocted to throw off attribution attempts.
While speculation regarding the SolarWinds attack perpetrators abounds, “…our investigations have not independently verified the identity of the perpetrators,” says Ramakrishna.