Full Report
How many industrial organizations had installed backdoored SolarWinds versions? We present the results of our analysis.
Analysis Summary
# Incident Report: SunBurst Backdoor Impact on Industrial Organizations
## Executive Summary
A sophisticated supply-chain attack targeted SolarWinds Orion software, resulting in the distribution of the "SunBurst" (or Solorigate) backdoor. Kaspersky ICS CERT identified approximately 2,000 organizations globally that installed the compromised software versions, with industrial entities making up roughly 18% of the affected base. While many organizations were infected, second-stage activity (Teardrop) was observed in a significantly smaller, highly targeted subset of victims.
## Incident Details
- **Discovery Date:** December 2020 (Publicly disclosed by FireEye)
- **Incident Date:** March 2020 – June 2020 (Distribution period)
- **Affected Organization:** ~2,000 organizations (including manufacturing, energy, and utilities)
- **Sector:** Industrial Control Systems (ICS), Manufacturing, Energy, Utilities, Oil & Gas
- **Geography:** Global (Primarily USA, Europe, Middle East, and Asia)
## Timeline of Events
### Initial Access
- **Date/Time:** March 26, 2020
- **Vector:** Supply-chain compromise of the SolarWinds Orion software build system.
- **Details:** Attackers injected a malicious DLL (`SolarWinds.Orion.Core.BusinessLayer.dll`) into the legitimate software update pipeline.
### Lateral Movement
- **Details:** After an initial dormant period (12-14 days), the backdoor contacted a C2 server. If the victim was deemed high-interest, attackers deployed the **Teardrop** post-exploitation tool to move laterally using valid credentials and PowerShell.
### Data Exfiltration/Impact
- **Details:** The primary goal was espionage. Attackers sought administrative credentials, internal emails, and sensitive architectural documentation.
### Detection & Response
- **Detection:** Discovered via forensic analysis of a breach at FireEye; subsequent global telemetry analysis by Kaspersky revealed the scale of industrial exposure.
- **Response:** SolarWinds released hotfixes (2020.2.1 HF 1 and 2020.2.1 HF 2); CISA issued Emergency Directive 21-01.
## Attack Methodology
- **Initial Access:** Supply-chain injection (Trojanized software update).
- **Persistence:** Trojanized DLL loaded as a legitimate service; scheduled tasks for second-stage payloads.
- **Privilege Escalation:** Use of compromised administrative credentials and SAML token forging ("Golden SAML").
- **Defense Evasion:** 12-14 day execution delay; checks for anti-virus/forensic tools; use of steganography and blocklists for specific security domains.
- **Credential Access:** Mimikatz and memory dumping to extract service account tokens.
- **Discovery:** Reconnaissance of AD structure, hostnames, and network configurations via the SunBurst C2.
- **Lateral Movement:** WMI, PowerShell, and remote desktop protocols (RDP).
- **Collection:** Focus on cloud resources (Office 365/Azure) and sensitive internal documents.
- **Exfiltration:** Data tunneled through HTTPS C2 traffic to masquerade as legitimate Orion protocol traffic.
- **Impact:** Long-term unauthorized access and loss of intellectual property.
## Impact Assessment
- **Financial:** High remediation costs; legal and forensic expenses.
- **Data Breach:** Compromise of internal communications and proprietary technical data.
- **Operational:** Minimal direct disruption to ICS/OT processes reported, though the potential for sabotage was high.
- **Reputational:** Significant loss of trust in SolarWinds and the software supply chain.
## Indicators of Compromise
- **Network Indicators:**
- `avsvmcloud[.]com` (C2 traffic)
- `digitalpica[.]com`
- `deftsecurity[.]com`
- **File Indicators (Hashes):**
- `b91ce2fa41029f6955bdd20074b417ad823bc7f5467d4d2da2871d888e7f107` (SolarWinds.Orion.Core.BusinessLayer.dll)
- **Behavioral Indicators:** Unexpected external DNS queries from the Orion server and unusual PowerShell execution by service accounts.
## Response Actions
- **Containment:** Isolation of SolarWinds Orion servers from the internet; resetting all administrative and service credentials.
- **Eradication:** Reimaging affected servers and updating to non-malicious versions of Orion (e.g., 2020.2.1 HF 2).
- **Recovery:** Full audit of Active Directory and Azure environments for forged persistent tokens.
## Lessons Learned
- **Supply Chain Vulnerability:** Traditional perimeter defenses are ineffective against trusted software updates.
- **Dormancy as Strategy:** Long wait times before C2 activation can bypass standard sandbox analysis.
- **ICS Exposure:** Industrial networks are increasingly integrated with IT management tools, expanding the attack surface for critical infrastructure.
## Recommendations
- **Network Segmentation:** Isolate ICS/OT management servers from direct internet access.
- **Supply Chain Risk Management:** Implement integrity checks for all software updates and verify digital signatures.
- **Egress Filtering:** Implement strict outbound firewall rules for servers, allowing communication only to necessary update repositories.
- **Behavioral Monitoring:** Monitor for "living-off-the-land" techniques (PowerShell, WMI) originating from management software components.