Security News > 2020 > December > A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says
As the probe into the SolarWinds supply chain attack continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems.
"The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team said on Friday in a post detailing the Sunburst malware.
What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL, Supernova is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack.
The adversaries used what's called a supply chain attack, exploiting SolarWinds Orion network management software updates the company distributed between March and June of this year to plant malicious code in a DLL file on the targets' servers that's capable of stealthily gathering critical information, running remote commands, and exfiltrating the results to an attacker-controlled server.
"Following the SolarWinds attack announcement, Cisco Security immediately began our established incident response processes," Cisco said in a statement to The Hacker News via email.