Case Study: Navigating the SolarWinds SUNBURST Supply Chain Attack  

Scenario:  

Imagine you are the Chief Information Security Officer (CISO) for “Global Tech Inc.,” a large multinational corporation that heavily relies on the SolarWinds Orion platform for managing and monitoring its diverse IT infrastructure. It’s December 2020, and news breaks about a widespread, highly sophisticated cyberattack targeting SolarWinds customers. FireEye has just disclosed details on a campaign involving a backdoored component of the Orion platform, which they’ve named SUNBURST (Microsoft refers to it as Solorigate).  

Your CEO is demanding immediate answers: Are we affected? What is the impact? What do we do now?  

Your Initial Assessment & Understanding the Threat:  

The first crucial step is to understand the nature of the attack. You learn that this is not a typical breach but a supply chain attack. This means the attackers didn’t directly compromise Global Tech Inc.’s systems; instead, they targeted a trusted software vendor – SolarWinds – and inserted malicious code into their legitimate software updates.  

Interactive Question: What makes a supply chain attack particularly insidious and difficult to defend against, compared to a direct attack on your network?  

Details of the Attack:  

• Target: The attack specifically compromised a library file within the SolarWinds Orion platform, identified as SolarWinds.Orion.Core.BusinessLayer.dll. This platform is widely used by organizations to monitor and manage IT infrastructure, granting it privileged access to systems, which made it a highly attractive target.  

• Attackers: The threat actors behind this campaign are referred to as UNC2452 by FireEye (later merged with APT29). Microsoft identified them as Nobelium.  

• Modus Operandi: The attackers gained unauthorized access to SolarWinds’ network as early as September 2019 and began injecting the SUNBURST malicious code into Orion software updates by February 20, 2020. They even digitally signed their malicious version of the DLL with SolarWinds’ private key, making it appear legitimate.  

• Distribution: SolarWinds unknowingly started sending out Orion software updates with this hacked code from March 26, 2020.The impacted versions range from 2019.4 to 2020.2.1 HF1, and reports suggest that up to 18,000 organizations may have unknowingly installed the compromised component. 

Interactive Question: Given that the malicious DLL was digitally signed and delivered through official update servers, what initial challenges would this pose for Global Tech Inc.’s existing security tools (e.g., antivirus software)?  

The Stealth of SUNBURST:  

The SUNBURST backdoor was designed with extreme stealth in mind.  

• Ticking Time Bomb: After installation, the backdoor would wait for a dormant period of 12-14 days before sending its first beacon to the Command and Control (C2) server. This delay made it harder to link the attack back to the malicious update.  

• Information Gathering: It collected basic system information (username, IP address, OS version) to decide if the machine was “worth exploring”.  

• Custom C2 Communication: The malware used a Domain Generation Algorithm (DGA) to determine its C2 IP address, often mimicking legitimate SolarWinds Orion Improvement Program (OIP) communication to blend in. The IP address in the DNS response could even dictate the malware’s next action, such as killing itself, waiting, or executing another function.  

• Evasion: SUNBURST would scan for antivirus and forensic tools, using obfuscated blocklists to identify them via processes, services, and drivers. It could stop blacklisted services by disabling them in the registry. Attackers also set hostnames on their C2 infrastructure to match legitimate hostnames within a victim’s environment and used IP addresses from the victim’s country to evade detection.  

Post-Compromise Activity:  

If a network were deemed valuable, the attackers would use SUNBURST to download further tools.  

• TEARDROP: A memory-only dropper that would decode an embedded Cobalt Strike BEACON payload, enabling post-intrusion activities such as lateral movement, privilege escalation, data theft, and establishing further persistence.  

• Raindrop: Discovered later, this was another malware backdoor and loader that delivered a Cobalt Strike payload, primarily geared towards post-compromise lateral movement across a victim’s network. It emerged after a target had been compromised with SUNBURST, but was asserted not to be delivered by SUNBURST directly.  

• SUNSHUTTLE: A new second-stage backdoor discovered by FireEye.  

The attackers maintained a light malware footprint, relying instead on legitimate credentials and remote access tools, which made their activities exceptionally hard to detect. They employed techniques like temporary file replacement(replacing a legitimate utility, executing their payload, then restoring the original) and temporary task modification(updating scheduled tasks to execute their tools, then reverting them).  

Interactive Question: GlobalTech Inc. has strong endpoint detection and response (EDR) tools. Why might these sophisticated evasion techniques still make the attack hard to detect, even with advanced tools?  

Detection and Response for GlobalTech Inc.:  

GlobalTech Inc. needs to act quickly. You learn that if you were operating a compromised version of the Orion component, “beacon activity to the attacker infrastructure” will show up in your logs, but this does not mean you are under active attack; it merely indicates the backdoor’s command and control components are functional.  

Immediate Actions (As per sources):  

1. Check for Vulnerable Versions: Identify if GlobalTech Inc. is running affected SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. Rapid7 InsightVM and Nexpose customers could scan their environments for affected versions. Varonis customers could check their systems for vulnerable versions and use queries for specific domains.  

2. Look for Indicators of Compromise (IoCs):  

• Check DNS and proxy connections for activity on avsvmcloud[.]com and other associated Command and Control (C2) domains.  

• Rapid7’s InsightIDR had deployed detections for vulnerable versions and continued to add IoCs/TTPs. MDR customers had their logs analyzed for FireEye-released IoCs.  

• Varonis customers can use their Edge dashboard and threat hunting tools to look up any alerts linked to these suspicious domains and stay ahead of potential threats.  

• Specific YARA rules and other IoCs were provided by Symantec for Raindrop and by FireEye/Mandiant for TEARDROP and SUNBURST. 

3. Monitor for Anomalous Behavior (Crucial for Behavioral Detection):  

• Keep an eye on any unusual behavior from accounts or systems linked to SolarWinds, especially unexpected file activity, connections to user devices, or configuration changes.  

• Also, don’t forget to check for odd access patterns or changes made by other service accounts, not just SolarWinds-related ones, particularly in environments that mix cloud and on-prem systems  

• FireEye highlighted opportunities to detect lateral movement where attackers use different credentials for lateral movement than for remote access.  

• Monitor for the delete-create-execute-delete-create pattern in SMB sessions and for temporary modifications of existing scheduled tasks.  

• The importance of behavioral modeling and a Zero-trust model was called out, as attackers, despite their sophistication, struggle to precisely mimic the normal behavior of compromised users and devices.  

Remediation and Mitigation Strategies for GlobalTech Inc.:  

• Upgrade Immediately: SolarWinds urged affected customers to upgrade to Orion Platform version 2020.2.1 HF 2 (released December 15, 2020) or 2019.4 HF 6 (released December 14, 2020). Patches for CVE-2020-10148 (an unauthenticated, remote code execution weakness in the Orion API) were also made available.  

• Isolation and Containment: During the assessment phase, SolarWinds infrastructure should be isolated or contained with all internet egress blocked to reduce risk. 

• Credential Reset: Reset all credentials associated with or stored in SolarWinds Orion, and update passwords for any accounts with access to SolarWinds servers or infrastructure.   

• Rebuild from Trusted Sources: The most cautious response involves rebuilding all hosts monitored by SolarWinds Orion from trusted sources.  

• Review Configurations and Accounts:  

• Restrict the scope of accounts with local administrator privileges on SolarWinds servers.  

• If SolarWinds is used to manage network infrastructure, check the configuration of network devices for any signs of unauthorized or unusual modifications. 

• Active Directory administrators should review account creation and deletion activity, especially around privileged/admin accounts.  

• Reset all secret keys associated with multi-factor authentication (MFA) or application integrations housed on devices managed or monitored by Orion, as they should be considered compromised.  

• Cloud-specific Guidance: CISA advied federal agencies using cloud-based SolarWinds Orion to segment oversight and control operations of cloud-based assets and establish a control framework to prohibit communication to/from the internet for cloud and internal installations.  

Long-term Implications & Lessons Learned:  

The SolarWinds attack highlighted several critical issues:  

• Dwell Time: The attackers had access to SolarWinds systems for over a year before discovery, significantly exceeding the average dwell time.  

• Sophistication: The complexity of the SUNBURST code and the attackers’ operational security allowed them to circumvent many traditional threat detection techniques.  

• Wider Impact: The attack underscored the inherent dangers of supply chain attacks, where compromising one trusted vendor can lead to widespread impact on thousands of organizations, including government agencies and major private companies.  

• Regulatory Scrutiny: The incident led to the U.S. Securities and Exchange Commission (SEC) taking legal action against SolarWinds and its CISO for alleged security failures and misstatements.  

• Need for SBOMs: The attack, along with other incidents like Colonial Pipeline and Kaseya, emphasized the critical need for Software Bill of Materials (SBOMs), which provide a “nutritional label” of all components within an application, allowing organizations to identify vulnerabilities quickly.