What are the motivations of this actor?
UNC2452 main motivations are likely espionage by exfiltrating data.
So far, no indicators of extorsion or financial crime have been
discovered by the actor. Also, the actor leveraged Sunburst malware
(see below) and does not have any connotation to known ransomware.
How long has this campaign been active?
The campaign we have uncovered appears to have begun as early as
Spring 2020 and is currently ongoing. The campaign is the work of a
highly skilled actor, and the operation was conducted with significant
operational security. Based on our analysis, the attacks that we
believe have been conducted as part of this campaign share certain
Use of malicious SolarWinds update: Inserting malicious code
into legitimate software updates for the Orion software that allow
an attacker remote access into the victim’s environment.
Light malware footprint: Using limited malware to accomplish
the mission while avoiding detection.
Prioritization of stealth: Going to significant lengths to
observe and blend into normal network activity.
High OPSEC: Patiently conducting reconnaissance, consistently
covering their tracks, and using difficult-to-attribute tools.
Who was affected by this?
This is a global campaign that introduced a compromise into public
and private organizations' networks through the software supply chain.
At this point in our investigation, we have detected this activity in
multiple entities worldwide. The victims have included government,
consulting, technology, healthcare, telecom, and oil and gas entities
in North America, Europe, Asia, and the Middle East. There may be
additional victims in other countries and verticals.
Do you know anything more about this threat actor?
This is a cluster that we are tracking, and the behavior is
consistent with nation-state activity. The actors behind this campaign
gained access to numerous public and private organizations around the
world. They gained access to victims via trojanized updates to
SolarWind’s Orion IT monitoring and management software.