Solarwinds Details
Solarwinds
Austin, TX • 2305 employees • Information Technology
Industry
Information Technology
Security Incidents
1
Security Incidents
Solarwinds Breach of Oct 2020
Show more
Show more
December 13, 2020
Mandiant
Written by: FireEye
UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29.
Executive Summary
We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
The attacker’s post compromise acti...
Show more
Severity Score
Very High
Type
Zero-Day ExploitSummary
FireEye uncovered a global intrusion campaign, UNC2452, which exploited trojanized updates to SolarWinds' Orion software, deploying a backdoor named SUNBURST. The campaign started as early as Spring 2020, affecting public and private organizations worldwide, spanning government, tech, consultancy, telecom, and extractive industries. SUNBURST is embedded in the SolarWinds.Orion.Core.BusinessLayer.dll, a digitally signed component, that communicated with C2 servers after an initial dormant period. The malware executed "Jobs" such as file transfer, system profiling, and system service manipulatio...Show more
Severity
The SolarWinds supply chain attack, leveraging a trojanized update of the Orion software, resulted in a sophisticated and widespread compromise affecting numerous public and private organizations globally. The attackers, attributed to APT29, demonstrated significant operational security, utilizing a variety of evasion techniques and deploying multiple malware strains such as SUNBURST and TEARDROP. Given the extensive reach of the attack, the advanced methods employed, and the potential for undetected ongoing activities, this incident's severity is rated as a "Very High" with a score of 10, ref...Show more
Impact
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST BackdoorDecember 13, 2020
Mandiant
Written by: FireEye
UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29.
Executive Summary
We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
The attacker’s post compromise acti...
Show more
KEEP YOUR ENVIRONMENT SECURE
Weak credentials are the leading cause of breaches. Beyond Identity can help.
See MFA exploits in action
Watch how adversaries exploit companies in quick videos