SolarWinds Orion updates delivered SUNBURST
Attackers compromised SolarWinds' build system and inserted the Sunburst backdoor into signed Orion platform updates, reaching roughly 18,000 customers through trusted software.
Story
SolarWinds was a build-system compromise with enterprise reach. Attackers placed SUNBURST into SolarWinds.Orion.Core.BusinessLayer.dll, a component shipped inside Orion Platform updates. The resulting packages were digitally signed and distributed through SolarWinds' normal update channel, so customers received attacker code through the path they were supposed to trust.
The delivery mattered as much as the malware. Orion was deployed by large companies, telecommunications providers, accounting firms, universities, the U.S. military, federal agencies, and security vendors. CSO reported that SolarWinds' own customer list included hundreds of Fortune 500 and government customers before the company removed the page. A single poisoned vendor update gave the actor a menu of targets.
SUNBURST waited before calling out, blended traffic into the Orion Improvement Program pattern, stored reconnaissance in legitimate configuration files, and checked for forensic and anti-virus tools. Follow-on activity was selective and manual. FireEye described file replacement, scheduled-task manipulation, credential theft, lateral movement, and in-memory deployment of TEARDROP and Cobalt Strike on chosen networks.
The impact was not only the 18,000 customers who received infected updates. The larger failure was architectural trust: monitoring software often has broad network visibility and high privilege, yet few organizations modeled what would happen if that trusted server became hostile. CISA issued emergency direction, SolarWinds released clean hotfixes, and the industry had to treat software update channels as first-class attack surfaces.
Affected Artifacts
- Observed
- 2020-03-26 to 2020-06-04
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- md5:b91ce2fa41029f6955bff20079468448
- Hashes identify SolarWinds.Orion.Core.BusinessLayer.dll from the SUNBURST-infected 2019.4 HF5 build.
- Observed
- 2020-03-26 to 2020-06-04
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
- Hash identifies SolarWinds.Orion.Core.BusinessLayer.dll from the SUNBURST-infected 2020.2 RC1 build.
- Observed
- 2020-03-26 to 2020-06-04
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- Hash identifies SolarWinds.Orion.Core.BusinessLayer.dll from the SUNBURST-infected 2020.2 RC2 build.
- Observed
- 2020-03-26 to 2020-06-04
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
- Hash identifies SolarWinds.Orion.Core.BusinessLayer.dll from the SUNBURST-infected 2020.2 / 2020.2 HF1 build family.
Incident Context
- Motive
- Espionage Data Theft
- Attribution
- State
- Cause
- Build System Compromise
- Transitive
- No
- Actor
- Nation-state
- User Impact
- 18000
Indicators
- Locationmirror: github.com/mandiant/sunburst_countermeasures
- Locationmirror: virustotal.com/gui/file/32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- Locationmirror: malware-research.org/solarwinds-sunburst-backdoor-forensic-analysis
- Locationmirror: netresec.com
- observableSee CISA (AA20-352A), Mandiant, and Microsoft references for full IoC lists, including C2 domains/IPs.
- Commita76fd16dd3bea01ef70c6a4bd693a8d7323c93ac
External References
- CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizationscisa.gov
- SUNBURST Additional Technical Detailsmandiant.com
- Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattackmicrosoft.com
- SolarWinds attack explained - And why it was so hard to detectcsoonline.com
Source record: proprietary/solarwinds_orion/meta.yaml