Security News > 2021 > January > Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor
As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform.
"This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna explained.
While preliminary evidence found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first breach of SolarWinds network on September 4, 2019 - all carried out with an intent to deploy Sunspot.
"Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code," Crowdstrike researchers said in a Monday analysis.
Once installed, the malware grants itself debugging privileges and sets about its task of hijacking the Orion build workflow by monitoring running software processes on the server, and subsequently replace a source code file in the build directory with a malicious variant to inject Sunburst while Orion is being built.
The development comes as Kaspersky researchers found what appears to be a first potential connection between Sunburst and Kazuar, a malware family linked to Russia's Turla state-sponsored cyber-espionage outfit.