CrowdStrike has discovered another piece of malware involved in the attack on SolarWinds, called Sunspot. It allowed Sunburst code to be inserted into the source code of Orion, the SolarWinds software compromised by hackers.
One by one, the remaining mysteries of the SolarWinds corporate hack are solved. CrowdStrike, one of the companies commissioned to investigate the incident, posted on January 11 a report on malware involved in the cyberattack, so far unknown. This malicious software called “Sunspot” would be the first link in the attack, upstream of the now famous “Sunburst”.
It would have been introduced on a company server in September 2019. More specifically, Sunspot infected the production engine of SolarWinds, that is to say the system responsible for assembling the group’s software. Its objective: to spy on the factory of Orion software, the company’s network management software.
As ZDNet relief, after an observation phase, Sunspot then inserted the code necessary for the implementation of the Sunburst Trojan in the source code of Orion. Result: Between March and June 2020, if a SolarWinds customer installed the software update, they installed Sunburst through the same channel. The latter opened a door on the victims’ servers – more than 18,000 organizations – into which hackers could rush.
They then only had to manually drop a third, even more powerful piece of malware, called “Teardrop”, on systems near the organizations they had in their sights. They thus proceeded to spy on 250 organizations, including a good number of branches and agencies of the American government: army, intelligence, energy… So many critical areas compromised by hackers, ” probably Russian according to the American authorities.
One question remains: how did hackers deploy Sunspot?
The attack against SolarWinds therefore lasted from September 2019 to June 2020, and was not discovered until December 2020. It is an observation of failure for the victim company, which has now entrusted the improvement. from its security to big names in the sector.
For their part, the investigators are almost at the end of the chain of the attack. Now all they have to do is find out how the hackers managed to deploy Sunspot on the SolarWinds production engine. The assumptions fuse, but this element remains a mystery for the moment. Then they will have to determine precisely who organized the attack: the Russians, but who exactly? Some media, including the Washington Post, point to APT29, nicknamed Cozy Bear, a group of elite hackers linked to one of the Russian intelligence agencies. While waiting for this possible information, the pirates are given different names: DarkHalo, StellarParticle or UNC2452. In short, the SolarWinds affair is far from over.
*The article has been translated based on the content of Numerama by cyberguerre.numerama.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!