SolarWinds Orion Used Sunspot Software To Implement Backdoor


Investigations into the SolarWinds supply chain attack are ongoing, and cybersecurity researchers have identified a third type of malware deployed in a build environment to inject a backdoor into SolarWinds' Orion network monitoring platform.

The malware, dubbed Sunspot, joins an ever-growing list of previously detected malware such as Sunburst and Teardrop. Recall that earlier analysts at Kaspersky Lab found similarities between the Sunburst hacking tool used during this attack and the already well-known Kazuar tool used by the Turla hacker group, which many experts associate with Russia.

“This highly sophisticated malware was designed to inject Sunburst malware into the SolarWinds Orion platform without raising suspicion from our software development and build teams,” explained Sudhakar Ramakrishna, the new CEO of SolarWinds.

While preliminary data showed that spy campaign operators were able to compromise the software build and code signing infrastructure of the SolarWinds Orion platform back in October 2019 to put the Sunburst backdoor, the latest investigation results point to a new timeline determining the SolarWinds network breach. On September 4, 2019, attackers deployed Sunspot.

Must Read :Microsoft Confirmed That Hackers Has Gained Access To Some Of It Company's Source Code

Sunspot monitors the running processes of those involved in the compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code. Once installed, the malware ("taskhostsvc.exe") grants itself debug rights and proceeds to its task of hijacking the Orion build workflow by monitoring running software processes on the server and then replacing the source file in the build directory with a malicious option to inject Sunburst during Orion assemblies.

Previous Post Next Post