Securonix Threat Research: Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks

January 18, 2021

The Securonix Threat Research (STR) team is actively investigating the details of the SolarWinds Orion IT software supply chain attacks. Many companies and government entities have been the victims of this global campaign, demonstrating top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.

Oleg Kolesnikov, VP of Threat Research, recently updated technical details of the known and unknown associated attack vectors/CVEs and analyzed the impact of the red team tools stolen. If you are looking for a summary of the report findings, read this blog.

Download the report to get his take on possible Securonix predictive indicators and security analytics that your security operations team can use to detect the current and potentially future attack variants. These indicators may be updated as we receive more information.


Attack Vector(s): A covert multi-stage supply-chain attack with a longer breakout time/operational tempo (likely started prior to 2020) reportedly carried out by a nation-state-sponsored actor using a trojanized digitally-signed SolarWinds Orion IT monitoring component payload (SolarWinds.Orion. Core.BusinessLayer.dll) and actively taking advantage of EDR/AV blind spots.

Impact: 18,000+ customers of SolarWinds believed to have been likely exposed as victims through compromised updates, including some major U.S. government (U.S. Treasury and Commerce, etc.), consulting (a leading US-based security company–FireEye/over 60 Red Team Tools (RTT) stolen by the MTA, etc.), technology, telecom, and other entities across North America, Europe, Asia, and the Middle East.

Some Examples of Observed ATT&CK Techniques:

  • T1195.002 Supply Chain Compromise
  • T1568.002 Dynamic Resolution: Domain Generation Algorithms
  • T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion
  • T1027.003 Obfuscated Files or Information: Steganography
  • T1041 Exfiltration Over C2 Channel
  • T1583.003 Acquire Infrastructure: Virtual Private Server
  • T1071.001 Application Layer Protocol: Web Protocols
  • T1569.002 System Services: Service Execution
  • T1070.004 Indicator Removal on Host: File Deletion
  • T1057 Process Discovery
  • T1036.003 Masquerading: Rename System Utilities
  • T1021 Remote Services
  • T1036.004 Masquerading: Masquerade Task or Service
  • T1101.001 Password guessing
  • T1101.003 Password spraying
  • T1078 Inappropriately secured administrative credentials
  • T1133 External remote access services
  • T1053.005 Scheduled Task

Download the report to read more.

Price: FREE

About the Provider

Securonix delivers a next generation security analytics and operations management platform for the modern era of big data and advanced cyber threats.


Supply Chain Attacks, Threat Research