The US government was recently hit by a severe cyberattack allegedly masterminded by Russian nation-state hackers, UNC2452 (or Cozy Bear). The strike, dubbed SUNBURST, targeted government agencies including treasury and commerce, granting the attackers access to classified information such as internal emails.

The perpetrator had got a foothold in SolarWinds’ Orion software, which provides services that monitor the government’s networks, several months earlier. Kevin Thompson, SolarWinds’ President and CEO, said UNC2452 probably leveraged a vulnerability present in “updates which were released between March and June 2020”. However, this wasn’t a vulnerability that could be exploited; it was malware being injected into a supply chain – and that’s a crucial distinction. 

The incident was triggered when staff in Orion-equipped organizations received an update prompt via pop-up. Unaware of its malicious component, around 18,000 customers  – including some in the US government – downloaded it, allowing the hackers to potentially traverse their company networks.

The compromise occurred several months ago but was only undiscovered when FireEye, a SolarWinds customer, probed its own recent hack. As well as the US government, over 80% of the Fortune 500 use Orion – our threat expert Kev looks at the finer details.

Insight – Kev Breen, Immersive Labs’ Director of Threat Research

Timeline of compromise

Solar winds is a company that does many things, including network devices, software, tools and online services. What we’re specifically talking about here is its Orion product, which is a network management solution. The idea is to implement it in a large organization, or even some medium-sized organizations, where you’re running your enterprise network from the office. It enables management of servers, switches and routers in a simple way.

The idea is you put your network management solution – servers or  appliances – in the middle of your network and give that permission to talk to all of your switches, routers, domain controllers – whatever you want. So if you want to patch all of your Cisco devices, you can just go onto the NMS and say, “Hey, update all of these things with this patch” and it’ll go off and do that. Or if you want to add a file, you can then go on and say, “deploy this”. That’s what this product is, it’s highly privileged and sits in the middle of your network.

It’s interesting because, by design, it has to be able to talk to everything. You’ll find that network access controls are like, “Oh, you’re the NMS. Fine, come on in.” Or if it’s got accounts, “You’re the NMS, you need to be able to have a look at this. Come on in.” There are definitely organizations that do this properly, and there are definitely organizations that do this the lazy way. You can absolutely put some granular control on the accounts that you give to this thing and say, “Here’s an account that’s only allowed to list these 12 things.”

SolarWinds says around March this year its build server was compromised. It said the source code for its application was not compromised, but its build server was; and for a period of a couple of months – up until July – a malicious DLL was injected into all of the update packages. The APT group was either stopped or pulled out in July.

All we know for sure is that FireEye, several days to possibly a week ago, identified suspicious activity on its network that led to the compromise of its red team tools. FireEye identified that a SolarWinds device was responsible for that compromise.

We don’t know whether FireEye informed SolarWinds or if it had some advanced warning; what we do know is that in July it was infected. That is when the actual compromise took place. After July, there were no further malicious implants – either the APT group stopped or SolarWinds made some changes to fix them.

This compromise was injected as part of the build process – it was properly signed, packaged and everything. And out it popped the other side before being checked, validated and signed, because that’s what the build was. Everything would’ve come out clean.

So that DLL was part of that package. Everyone who had an active account, around 18,000 of 33,000 customers, would have received this update in real time. And those 18,000 customers were compromised the second they installed it.

As soon as that installs, there’s a period of 12 to 14 days, and then that malware connects back home. You are now compromised. Whether lateral movement has happened, whether second stages have happened – you have been compromised with a piece of highly placed malware on the inside of your network.

This was very, very targeted; this is hands on keyboard; this is zero malware, an operator manually enumerating, pivoting and exploiting through your network. They won’t have had enough operators to do everything at once, so they would have been selective about those call backs. They would have looked at all of those IPs that they’re calling back and said, “Right, who are you?” And inside this DLL file there is a check to see whether it’s being installed in Microsoft’s network, and if it’s going into Microsoft it will absolutely not try and connect back – it will just operate as normal. That is insane. This thing was designed not to beacon, not to do anything if it detected that it was inside a Microsoft IP range.

I’m seeing a lot of people say that this is a vulnerability in SolarWinds. That’s absolutely not what this is. This isn’t a bug or a flaw, this is a very deliberate action by part of the attacker to put code into this. This isn’t a vulnerability that can be exploited, this is malware being injected into that supply chain, and that’s a really important distinction.

Dive even deeper with Kev and the team in a special episode of our Cyber Humanity podcast:

How can your business prepare?

One of the most important things we do at Immersive Labs is exercise teams against the latest threats. To do this our expert content team drop what they’re doing and work through the night grabbing samples, reading blogs and trawling Twitter to find everything there is to know. They then distil this into labs covering the knowledge and skills your pros need to keep your business safe.

And that’s exactly what we’ve done here, creating a comprehensive new mini-series, SUNBURST: A Supply Chain Compromise, which includes the following labs. And the best bit? All of these labs are available for free in our Community Mode.

Compromising SolarWinds NMS (Theory)

In this lab the participant will learn what an NMS is, why it is a target, and how it’s relevant to the SUNBURST hack.

Who are UNC2452? (Theory)

Participants will examine APT29 from a MITRE ATT&CK viewpoint in this lab, discovering what the group does and how it operates.

Build Server Investigation (Practical)

In this lab participants assume the role of a threat hunter, reviewing a build server and its build stages to identify what malicious code has been injected and where.

IoC Investigation (Practical)

Continuing as a threat hunter, participants must take the indicators of compromise provided by FireEye and review their NMS host to see if it has been affected

Malware Investigation (Practical)

Finally, participants must take a sample of the malware and identify any additional IoCs that will help them identify suspicious activity on their systems and networks. 

Don’t leave your security to chance. Get a demo of the new SUNBURST mini-series and discover why enterprises trust Immersive Labs to get ahead of the threat landscape.


Experience Sunburst first hand with the experts
Join Kev, Chris and Sean as they demonstrate our mini-series on this unprecedented threat to organizations. By starting with foundational concepts and moving through to detailed hands-on simulations, you will learn firsthand the critical lessons underlined by the attack on Solarwinds.

Listen to the recording.



Check Out Immersive Labs in the News.


December 18, 2020


Immersive Labs