Cybersecurity experts at CrowdStrike have identified the malware type employed in the recent SolarWinds hack. The malicious software enabled the cybercriminals to insert backdoors into builds for the Orion platform in the widespread attack on supply chains that effectively compromised both government agencies and multiple organisations and was uncovered in December 2020.

SolarWinds attack analysis

Called Sunspot by CrowdStrike, the malware was deployed by the gang of hackers within the Orion IT management software’s dedicated development environment. Following successful execution, the malicious software was able to efficiently monitor and inject a backdoor for Sunburst automatically by cunningly replacing the enterprise’s authentic source code with an insidious type of malicious code instead.

As reported by Bleeping Computer, CrowdStrike specialists explained:

“The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected and prioritised operational security to avoid revealing their presence in the build environment to SolarWinds developers.”

Sudhakar Ramakrishna, CEO for SolarWinds, echoed the findings of CrowdStrike, commenting:

“This highly sophisticated and novel code was designed to inject the SUNBURST malicious code into the SolarWinds Orion platform without arousing the suspicion of our software development and build team.”

An extensive range of malware strains

This is yet another form of malware to be identified during the investigation of the recent supply-chain attack linked with the hackers that CrowdStrike tracks as StellarParticle, FireEye tracks as UNC2452 and Volexity tracks as Dark Halo.

A second strain of malware is the Sunburst backdoor malware, which was launched by the SolarWinds hacker gang on enterprise and organisation systems that unknowingly installed Orion builds infected with trojans through the platform’s in-built mechanism for automatic updates.

After a selection of Sunburst samples were recovered that had dropped different payloads, cybersecurity experts at FireEye discovered another malware type called Teardrop, a previously unidentified dropper that is memory-only and a tool for post-exploitation employed to action customised beacons for Cobalt Strike.

A fourth type of malware, not currently connected to the threat operator known as StellarParticle but delivered via Orion builds that included trojans, was also uncovered by Microsoft and Palo Alto Networks Unit 42 when they were conducting an investigation into the SolarWinds hack. Named SuperNova, this dedicated malware was dropped in the form of a DLL file that empowered hackers with the ability to remotely transmit, compile and then execute code on the compromised devices.

The true identity of the hackers behind the SolarWinds supply chain assault is still unknown to cybersecurity experts, although organisations and agencies in the United States have noted that they have their suspicions.

CEO for Sudhakar Ramakrishna CEO of SolarWinds commented:

“The U.S. government and many private-sector experts have stated the belief that a foreign nation-state conducted this intrusive operation as part of a widespread attack against America’s cyberinfrastructure.”

Ramakrishna added, however, that so far, all the investigations undertaken by SolarWinds security teams have not provided independent verification of the perpetrators behind the hack’s identity.