Third malware strain discovered in SolarWinds supply chain attack
Posted January 12, 2021
- Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.
- Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
- The Sunspot malware was installed on SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
- CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds’ top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.
- Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
- The SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity), and StellarParticle (CrowdStrike), but this designation is expected to change once companies learn more.
- One last mystery remains, and that is how did the SolarWinds hackers manage to breach the company’s network in the first place, and install the Sunspot malware. Was it an unpatched VPN, an email spear-phishing attack, a server that was left exposed online with a guessable password?
– Catalin Cimpanu | January 12, 2021