The Sunburst Trojan is a malware that took the world of cybersecurity by storm in early December 2020. On 8 December 2020, the California-based cybersecurity firm FirEye disclosed to the press that their systems had been breached by a powerful and versatile attack group. As a result of this breach, some of the tools developed and used by the company were stolen. The hack was so massive and debilitating that it is being referred to as the “Sunburst Hack''.
How Was the Hack Carried Out?
The hack was accomplished by using the SolarWinds Orion platform. Orion is a SaaS tool that is used by a lot of the biggest companies in the world. The main purpose of Orion is infrastructure management that is designed to simplify IT management by a significant margin. Orion is a tool that is actually used even by the Treasury department of the Federal US government. The hackers infected Orion updates with their malware and gained access to the FireEye network.
How was the Malware Distributed?
According to cybersecurity experts, the malware was first distributed across the world in spring 2020, where it resided in the Orion patches without being detected for many months at a time. Many versions of Orion, starting from 2019.4 HF 5 to 2020.2.1 were affected by this malware. It has been theorized that these patches stayed and spread throughout the networks all this while, collecting data from the system and sending it all back to the origin.
Main Objective of the Malware
The main objective of the Sunburst Trojan was data collection, as the backdoor created by the malware allowed the hackers to steal a lot of restricted and sensitive information directly from the infected servers of the organizations. This can be gleaned by looking at the nature of the malware, which was designed to lie low and appear normal to all. The main objective was data collection - and its job was to do so without being detected by network security systems.
A lot of effort was put in by the hackers to make it look like the activity of the Trojan was normal. The malware was basically crippled by the hackers so that all it could do was spread in the system, lie low and gather all the information it could. All the gathered information was then relayed back swiftly to the hackers for dissemination. A lot of the proprietary tech and red team tools were stolen from FireEye servers.
Who is Responsible for This?
The level of sophistication of this cyberattack and the massive scope has led to many experts stating that this was state-sanctioned. Many say that it was the action of an advanced hack group who were provided with state sanctions and access to unlimited resources. Although it is hard to cast the blame on any particular hack group, many experts from the intelligence realm say that the hack was carried out by a hacker group called APT-29, aka “Cozy Bear”.
Cozy Bear is believed to have ties to one or more intelligence groups maintained by the Russian government, as a result of which it is designated “Advanced Persistent Threat” or APT status. It is believed that this hacker group was behind the attack, which would mean that it was carried out at the behest of the Russian government. Naturally, the Russian government has denied this allegation and has said that they are 100% innocent of any and all wrongdoing here.
What Happens Next?
After infiltrating all of the organizations by piggybacking on the Orion updates, the trojan then proceeded to steal signing certificates. This allowed them to create alter egos which they used to target the user accounts by forging the SAML signature. SAML's signatures are a security mech that is used by many frameworks to guarantee that unauthorized access is not provided. The story behind this cyberattack is still unfolding, but the implications of such a wide-scale attack are truly staggering.
When the hack was discovered, SolarWinds immediately reconstructed all of their infected versions and released a new update that did not have the malicious code inside it. FireEye also released a bunch of rules and IOCs that security vendors could use to detect the presence of the malicious code inside their system.
