REPORTS

Securonix Threat Research: Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks

January 18, 2021

The Securonix Threat Research (STR) team is actively investigating the details of the SolarWinds Orion IT software supply chain attacks. Many companies and government entities have been the victims of this global campaign, demonstrating top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.

Oleg Kolesnikov, VP of Threat Research, recently updated technical details of the known and unknown associated attack vectors/CVEs and analyzed the impact of the red team tools stolen. If you are looking for a summary of the report findings, read this blog.

Download the report to get his take on possible Securonix predictive indicators and security analytics that your security operations team can use to detect the current and potentially future attack variants. These indicators may be updated as we receive more information.

Summary

Attack Vector(s): A covert multi-stage supply-chain attack with a longer breakout time/operational tempo (likely started prior to 2020) reportedly carried out by a nation-state-sponsored actor using a trojanized digitally-signed SolarWinds Orion IT monitoring component payload (SolarWinds.Orion. Core.BusinessLayer.dll) and actively taking advantage of EDR/AV blind spots.

Impact: 18,000+ customers of SolarWinds believed to have been likely exposed as victims through compromised updates, including some major U.S. government (U.S. Treasury and Commerce, etc.), consulting (a leading US-based security company–FireEye/over 60 Red Team Tools (RTT) stolen by the MTA, etc.), technology, telecom, and other entities across North America, Europe, Asia, and the Middle East.

Some Examples of Observed ATT&CK Techniques: