Texture Top Right Red 03

Sunburst Information

What Happened?

  • FireEye discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
  • FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware that we call "SUNBURST."
  • The attacker's post-compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
  • The campaign is widespread, affecting public and private organizations around the world.
  • FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.

SUNBURST FAQs

What are the motivations of this actor?

UNC2452 main motivations are likely espionage by exfiltrating data. So far, no indicators of extorsion or financial crime have been discovered by the actor. Also, the actor leveraged Sunburst malware (see below) and does not have any connotation to known ransomware.

How long has this campaign been active?

The campaign we have uncovered appears to have begun as early as Spring 2020 and is currently ongoing. The campaign is the work of a highly skilled actor, and the operation was conducted with significant operational security. Based on our analysis, the attacks that we believe have been conducted as part of this campaign share certain common elements:

  • Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment.
  • Light malware footprint: Using limited malware to accomplish the mission while avoiding detection.
  • Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity.
  • High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools.
Who was affected by this?

This is a global campaign that introduced a compromise into public and private organizations' networks through the software supply chain. At this point in our investigation, we have detected this activity in multiple entities worldwide. The victims have included government, consulting, technology, healthcare, telecom, and oil and gas entities in North America, Europe, Asia, and the Middle East. There may be additional victims in other countries and verticals.

Do you know anything more about this threat actor?

This is a cluster that we are tracking, and the behavior is consistent with nation-state activity. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software.

FIREEYE FAQs

How did the attackers gain access to your environment?

Based on the latest findings from our investigation, we determined the SolarWinds compromise was the original vector for the attack against FireEye. We believe that this is the initial attack vector after which they used other sophisticated techniques to penetrate and remain hidden in our network. Through the combination of our technology, intelligence, and expertise, we uncovered the SUNBURST campaign.

Who attacked you?

We are tracking the actors behind this campaign as UNC2452. Which references to an “unclassified” group in our intel naming schema.

Does the SolarWinds compromise affect FireEye products?

No. We have already updated our products to detect the known altered SolarWinds binaries. We are also scanning for any traces of activity by this actor and reaching out to customers if we see potential indicators.

How did you detect the intrusion?

The intrusion was detected by monitoring secondary registrations of our Two-Factor authentication and reporting on suspicious behavior.

Customer Briefing Webinar

UNC2452: Highly Evasive Attacker Leverages Supply Chain to Compromise Targets

Contact Us

Have a question for the FireEye team or insights you’d like to share?
Contact us at [email protected].