Sunburst & UNC2452

Solarwinds Breach Resource Center

Since discovering the global intrusion campaign to distribute malware known as Sunburst and UNC2452, FireEye is committed to supporting our customers and the cyber security community with free resources, tools and services to help you detect and successfully block this threat.

sunburst-illustration
Solarwinds Breach Timeline

Recommended Solutions

Threat Intelligence & Compromise Assessment

mandiant-advantage-card

Mandiant Advantage

Organizations currently using SolarWinds Orion IT need to see if they are compromised with the Sunburst backdoor and seek further evidence. Mandiant Advantage is an accessible threat intelligence web platform offering vendor-agnostic insight that can make this process easier.

  • UNC2452 Actor Overview
  • Sunburst Malware Overview
  • Teardrop Malware Overview
  • and much more...
mandiant-card

Mandiant Compromise Assessment

Get a comprehensive analysis of your environment by Mandiant experts to uncover any impact by Sunburst. This assessment focuses on finding evidence of past and ongoing compromises with the help of proprietary technology, a deep library of indicators of compromise, and network forensics.

  • Attacker activity report
  • Endpoint, network, log analysis
  • Compromised systems report
  • and much more...

Free Resources

Open-source Github repositories with Sunburst threat detection signatures

We’ve made these FireEye resources free to the public to help you detect any indicators of UNC2452 or Sunburst-related activity. For a detailed description of techniques used by UNC2452 see our blog and additional technical details.

Mandiant Azure AD
Investigator

This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity.

FireEye Red Team Tool Countermeasures

This repository includes rules categorized as production and supplemental release states in Snort, Yara, ClamAV, and HXIOC.

FireEye Mandiant Sunburst Countermeasures

This repository includes rules categorized as production and supplemental release states in Snort, Yara, ClamAV, and HXIOC.

Frequently Asked Questions

What is Sunburst?

This is a threat actor cluster that we are tracking, and the behavior is consistent with nation-state activity. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind's Orion IT monitoring and management software.

What are the motivations of this actor?

UNC2452 main motivations are likely espionage by exfiltrating data. So far, no indicators of extortion or financial crime have been discovered by the actor. Also, the actor leveraged Sunburst malware (see below) and does not have any connotation to known ransomware.

What is the timeline of activity?

The campaign we have uncovered appears to have begun as early as Spring 2020 and is currently ongoing. The campaign is the work of a highly skilled actor, and the operation was conducted with significant operational security. Based on our analysis, the attacks that we believe have been conducted as part of this campaign share certain common elements.

Who is responsible for this?

We are tracking the actors behind this campaign as UNC2452. Which references to an “uncategorized” group in our intel naming schema.

Who was affected by this?

This is a global campaign that introduced a compromise into public and private organizations' networks through the software supply chain. At this point in our investigation, we have detected this activity in multiple entities worldwide. The victims have included government, consulting, technology, healthcare, telecom, and oil and gas entities in North America, Europe, Asia, and the Middle East. There may be additional victims in other countries and verticals.

How did this affect FireEye?

Based on the latest findings from our investigation, we determined the SolarWinds compromise was the original vector for the attack against FireEye. We believe that this is the initial attack vector after which they used other sophisticated techniques to penetrate and remain hidden in our network. Through the combination of our technology, intelligence, and expertise, we uncovered the SUNBURST campaign.

Does this affect FireEye products?

No. We have already updated our products to detect the known altered SolarWinds binaries. We are also scanning for any traces of activity by this actor and reaching out to customers if we see potential indicators.

How was the intrusion detected?

The intrusion was detected by monitoring secondary registrations of our Two-Factor authentication and reporting on suspicious behavior.

Still looking for something?

If you think you have been affected by the SolarWinds breach, don’t hesitate to reach out and connect with one of our experts.

Contact

Connect with us and we can help you understand and solve a specific problem.

Support

Connect with us and we can help you understand and solve a specific problem.

Resources

Recent Updates

UNC2452: Highly Evasive Attacker Leverages Supply Chain to Compromise Targets
Webinar

UNC2452: Highly Evasive Attacker Leverages Supply Chain to Compromise Targets

Updates for customers and broader cybersecurity community on understanding how to take steps to defend against the attacks seen during this global campaign.