SolarWinds: What Hit Us Could Hit Others

2021-01-12 20:50

New research into the malware that set the stage for the megabreach at IT vendor SolarWinds shows the perpetrators spent months inside the company's software development labs honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers.

According to SolarWinds and a technical analysis from CrowdStrike, the intruders were trying to work out whether their "Sunspot" malware - designed specifically for use in undermining SolarWinds' software development process - could successfully insert their malicious "Sunburst" backdoor into Orion products without tripping any alarms or alerting Orion developers.

In October 2019, SolarWinds pushed an update to their Orion customers that contained the modified test code.

Crowdstrike said Sunspot was written to be able to detect when it was installed on a SolarWinds developer system, and to lie in wait until specific Orion source code files were accessed by developers.

"The design of SUNSPOT suggests developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers," CrowdStrike wrote.

A third malware strain - dubbed "Teardrop" by FireEye, the company that first disclosed the SolarWinds attack in December - was installed via the backdoored Orion updates on networks that the SolarWinds attackers wanted to plunder more deeply.

News URL

https://krebsonsecurity.com/2021/01/solarwinds-what-hit-us-could-hit-others/

#solarwinds #US