Skip to content

S0559 SUNBURST

SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.32

Item Value
ID S0559
Associated Names Solorigate
Type MALWARE
Version 2.4
Created 05 January 2021
Last Modified 27 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Solorigate 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.1
enterprise T1071.004 DNS SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic SUNBURST used VBScripts to initiate the execution of payloads.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding SUNBURST used Base64 encoding in its C2 traffic.1
enterprise T1005 Data from Local System SUNBURST collected information from a compromised host.41
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data SUNBURST added junk bytes to its C2 over HTTP.1
enterprise T1001.002 Steganography SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.167
enterprise T1001.003 Protocol Impersonation SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.1
enterprise T1568 Dynamic Resolution SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.012 Image File Execution Options Injection SUNBURST created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.2
enterprise T1083 File and Directory Discovery SUNBURST had commands to enumerate files and directories.14
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.6
enterprise T1070 Indicator Removal SUNBURST removed HTTP proxy registry values to clean up traces of execution.2
enterprise T1070.004 File Deletion SUNBURST had a command to delete files.14
enterprise T1070.007 Clear Network Connection History and Configurations SUNBURST also removed the firewall rules it created during execution.2
enterprise T1070.009 Clear Persistence SUNBURST removed IFEO registry values to clean up traces of persistence.2
enterprise T1105 Ingress Tool Transfer SUNBURST delivered different payloads, including TEARDROP in at least one instance.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.2
enterprise T1112 Modify Registry SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\[service_name]\Start registry entries to value 4.14 It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.2
enterprise T1027 Obfuscated Files or Information SUNBURST strings were compressed and encoded in Base64.4 SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.1
enterprise T1027.005 Indicator Removal from Tools SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.5
enterprise T1057 Process Discovery SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.1
enterprise T1012 Query Registry SUNBURST collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.46
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing SUNBURST was digitally signed by SolarWinds from March - May 2020.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 SUNBURST used Rundll32 to execute payloads.2
enterprise T1082 System Information Discovery SUNBURST collected hostname, OS version, and device uptime.14
enterprise T1016 System Network Configuration Discovery SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.1
enterprise T1033 System Owner/User Discovery SUNBURST collected the username from a compromised host.14
enterprise T1007 System Service Discovery SUNBURST collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.4
enterprise T1497.003 Time Based Evasion SUNBURST remained dormant after initial access for a period of up to two weeks.1
enterprise T1047 Windows Management Instrumentation SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.1

Groups That Use This Software

ID Name References
G0016 APT29 1910121311

References

  1. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  2. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  3. Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021. 

  4. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  5. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  6. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021. 

  7. Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021. 

  8. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. 

  9. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. 

  10. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. 

  11. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. 

  12. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. 

  13. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.