SolarWinds hack investigation reveals new Sunspot malware

Crowdstrike researchers have documented Sunspot, a piece of malware used by the SolarWinds attackers to insert the Sunburst malware into the company’s Orion software.

SolarWinds has also revealed a new timeline for the incident and the discovery of two customer support incidents that they believe may be related to the Sunburst malware being deployed on customer infrastructure.

Finally, Kaspersky Lab researchers have discovered several similarities between the Sunburst malware and a backdoor that has been linked to the Turla APT group (widely believed to be sponsored by the Russian state).

New malware discovered

Sudhakar Ramakrishna, SolarWinds’ new CEO, said on Monday that the company is working with their counsel, multinational law firm DLA Piper, cybersecurity company CrowdStrike, advisory firm KPMG, and other industry experts to perform their root cause analysis of the attack, as well as with law enforcement, the intelligence community, governments, and industry colleagues in their investigations.

He shared an attack timeline (compiled according to the most current findings), which revealed the source of the Sunburst malicious code (backdoor) injection into SolarWinds’ Orion platform: a new strain of malware dubbed Sunspot.

According to Crowdstrike researchers, Sunspot was a persistent tool that was deployed into SolarWinds’ build environment to monitor running processes.

“When Sunspot finds an MsBuild.exe process [part of the Microsoft Visual Studio development tools], it will spawn a new thread to determine if the Orion software is being built and, if so, hijack the build operation to inject Sunburst. The monitoring loop executes every second, allowing Sunspot to modify the target source code before it has been read by the compiler,” the researchers explained.

They also shared a number of tactics, techniques and procedures (TTPs) the attackers employed to assure the malware’s persistence, to ensure the code tampering will not cause build errors, and to minimize the possibility of SolarWinds detecting their presence and actions.

Ramakrishna also confirmed that the attackers did a test run in late 2019 to make sure SolarWinds would not detect their future malicious efforts, and revealed that they identified two previous customer support incidents during the attack timeline that may be related to Sunburst.

“We investigated the first in conjunction with our customer and two third-party security companies. At that time, we did not determine the root cause of the suspicious activity or identify the presence of the Sunburst malicious code within our Orion Platform software. The second incident occurred in November, and similarly, we did not identify the presence of the Sunburst malicious code. We are still investigating these incidents and are sharing information related to them with law enforcement to support investigation efforts,” he concluded.

Malware similarities revealed

Kaspersky Lab researchers analyzed the Sunburst malware and found several code similarities when compared with Kazuar, a .NET backdoor first reported by Palo Alto in 2017, which has been linked to the Turla APT group.

The two pieces of malware use the same algorithm to calculate the time the malware lays dormant until making a new C&C server connection, the same hashing algorithm for string obfuscation, and the same algorithm for generating the unique victim identifiers.

“These code overlaps between Kazuar and Sunburst are interesting and represent the first potential identified link to a previously known malware family,” the researchers noted, but added that there are several possible explanations for these similarities (apart from Sunburst having been developed by the same group as Kazuar).

These include the SolarWinds attackers using Kazuar as an inspiration point, both groups getting their malware from the same (third-party) source, Kauzar developers becoming members of the the group behind the SolarWinds hack and, finally, there’s also the possibility that the similarities were introduced on purpose to mislead investigators.

“At the moment, we do not know which one of these options is true. While Kazuar and Sunburst may be related, the nature of this relation is still not clear. We believe it’s important that other researchers around the world also investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst. Further research on this topic can be crucial to connecting the dots,” they concluded.