SunBurst Trojan -What You Need to Know

December 16, 2020 | Bar Block

On December 8th, the security company FireEye disclosed that it had been breached by an advanced, supposedly nation state-backed, attack group, and as a result- tools developed and used by the company’s red teams were stolen.

It was later disclosed that the attackers were able to infiltrate FireEye’s network by infecting updates of a popular IT infrastructure management software named Orion, with their malware. Orion is a SolarWinds product, used by many organizations, including many Fortune 500 companies and the US Treasury Department, which was affected by the campaign.

The malware is believed to had been distributed in Spring 2020, compromised Orion versions 2019.4 HF 5 to 2020.2.1, and most likely resided in breached networks for months without being detected.

The trojanized updates delivered a backdoor, dubbed “SunBurst” by FireEye and “Solorigate” by Microsoft, that allowed the attackers to steal data, which is assumed to be the attack’s primary goal. To avoid detection, the attackers had limited the malware’s capabilities, tracked security software installed, and put a lot of effort into making SunBurst’s network activity look normal. The breadth, sophistication, and scope of the attack indeed indicate it was perpetrated by an advanced threat actor with ample, state-level resources and motivation.

Although the attackers had likely planned for their actions to be hard to attribute to any specific attack group, many in the cybersecurity and intelligence communities believe that the attack group APT 29, aka “Cozy Bear”, was behind these attacks. The Russian Embassy in the USA denied this accusation.

The story of “SunBurst” trojan is still unfolding, and more chapters will probably be added to it in the upcoming weeks. It’s likely that more organizations, that were compromised by the malware, will realize it and publicly disclose this information, as well as the effect it has on their clients or others. The large interest in the attack and its scale will probably result in the release of more technical details and behavioral evidence, as many in the cybersecurity field investigate the attack and analyze the malware samples.

Putting Out the Fire

As mentioned earlier, the attackers stole tools developed by FireEye’s red team, to test their customers’ security. These tools can be used dually for malicious purposes as well, so knowing that they are in the wrong hands, FireEye released rules and IoCs, that can help security vendors detect and prevent the use of the stolen tools in the networks they are entrusted with.

Moreover, SolarWinds released an update and urged its customers to install it, so it could replace the compromised versions. We call on our customers and partners to update SolarWinds software where applicable.

As one of the leading cybersecurity companies today, Deep Instinct is always on the alert for new attacks of this kind and does everything in its power to ensure our customers are protected from any threat they might face. We are focused on expanding and monitoring all relevant IoCs and making sure Deep Instinct’s cybersecurity product line protects against them.