Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.
Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware was actually the first one used.
Sunspot malware ran on SolarWinds’ build server
In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first breached SolarWinds’ internal network.
The Sunspot malware was installed on SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds’ top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.
Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
Timeline of the SolarWinds supply chain attack
These trojanized Orion clients eventually made their way one SolarWinds’ official update servers and were installed on the networks of the company’s many customers.
Once this happened, the Sunburst malware would activate inside internal networks of companies and government agencies, where it would collect data on its victims and then send the information back to the SolarWinds hackers (see this Symantec report about how data was sent back via DNS request).
Threat actors would then decide if a victim was important enough to compromise and would deploy the more powerful Teardrop backdoor trojan on these systems while, at the same time, instruct Sunburst to delete itself from networks it deemed insignificant or too high risk.
However, the revelation that a third malware strain was discovered in the SolarWinds…