UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.
More SolarWinds Attack Details Emerge
A third piece of malware is uncovered, but there are still plenty of unknowns about the epic attacks purportedly out of Russia.
As yet another piece of malware has been uncovered in the attack on SolarWinds network management system software, there still remain several missing elements needed to draw a complete picture of the massive cyberattacks against major US government agencies and corporations, including security vendor and incident response expert FireEye.
SolarWinds and CrowdStrike this week detailed a third malware tool dubbed Sunspot that was found in the attack on the software vendor. Sunspot is a custom program that inserted the so-called Sunburst backdoor into the software build environment of SolarWinds Orion network management product. CrowdStrike, which analyzed Sunspot on behalf of SolarWinds, says the tool was carefully planted somehow by the attackers and kept hidden from SolarWinds developers with sophisticated trackin
Get Permission
Location of organizations that Microsoft has identified as having been exploited via second-stage attacks as part of the SolarWinds Orion supply chain attack
Hackers who infiltrated government and business networks via a stealthy software update appear to have genuinely impacted about 50 organizations, says FireEye CEO Kevin Mandia.
Speaking of the supply chain attack that implanted a backdoor in the Orion network monitoring software built by Texas-based SolarWinds, and which was pushed to 18,000 of the firm s customers, Mandia noted that, while many have been referring to it as potentially the biggest intrusion in our history, the focus of the apparent cyberespionage campaign was much more targeted.
Get Permission
SolarWinds has removed a list of selected customers from its website (above) following the discovery that its Orion software had been Trojanized and used to hack an unknown number of users.
As befits any data breach investigation that is rapidly unfolding in the public eye, more details about the SolarWinds breach continue to appear seemingly on an hourly basis.
Unfortunately, newly discovered victims are continuing to come forward at nearly the same pace, especially because attackers appear to have been operating undetected for at least nine months after successfully Trojanizing multiple versions of SolarWinds Orion network-monitoring security software, beginning in March. The Trojanized software was still available for download on Monday, and for some breached organizations, attackers may still be inside their network.