Hillary Clinton’s favorite cybersecurity team, CrowdStrike, just announced new intelligence. They captured the malware used by the hackers behind the massive SolarWinds exploit to inject the back-door entry points. What was supposed to be a secure automatic update for Orion platform builds had catastrophic consequences to government agencies and important industrial leaders.
Hackers prioritized security
After they caught the penetrating Trojan, CrowdStrike decided to call it “Sunspot.” When it ran, the malware “would monitor and automatically inject a Sunburst back-door by replacing the company’s legitimate source code with malicious code.” How convenient. Whoever the hackers were, they didn’t want to get caught.
“The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.”
This isn’t some group of 12-year-old amateur hackers. “This highly sophisticated and novel code was designed to inject the SUNBURST malicious code into the SolarWinds Orion platform without arousing the suspicion of our software development and build teams,” the CEO of SolarWinds insists.
It had to be one of the world governments. Since nobody knows which, it has to be Russia.
Since researchers started trying to untangle the SolarWinds attack, they have uncovered four separate strains of malware, so far. Sunspot is the third.
The yet unidentified hackers have been named StellarParticle by CrowdStrike, UNC2452 by FireEye, and Dark Halo by Volexity. FireEye was the first to admit they were compromised by the software. They were not happy to learn that their private set of digital burglary tools were stolen.
Custom made payloads
The second strain of malware detected was the Sunburst or Solorigate Trojan “deployed by the SolarWinds hackers on the systems of organizations who installed trojanized Orion builds via the platform’s built-in automatic update mechanism.”
FireEye played with a few samples of Sunburst that they caught and found out they delivered different custom made payloads. That’s how they found the one they named “Teardrop.” That’s a brand new “post-exploitation tool used to deploy customized Cobalt Strike beacons.”
Since the discovery of Sunspot, another malware program which does not appear to come from the same group of hackers, but is also delivered using trojanized Orion builds, was discovered independently by Microsoft and Palo Alto Networks Unit 42.
That one has been named “SuperNova.” It’s a nifty DLL file which “allowed attackers to remotely send, compile, and execute C# code on compromised machines.”
FireEye discovered they were hit by hackers on December 8, but the public didn’t learn about it until the 13th. Looking back after the breach was discovered, the attack started before September 2019, which is “the date when the earliest suspicious activity was found on SolarWinds internal network.”
All it took was to inject the back-door into the harmless looking DLL and the rest is history. Someone has been reading some interesting emails for quite a while, and that’s only the tip of it all.