S0562 SUNSPOT
SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.1
| Item | Value |
|---|---|
| ID | S0562 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 12 January 2021 |
| Last Modified | 27 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | SUNSPOT modified its security token to grants itself debugging privileges by adding SeDebugPrivilege.1 |
| enterprise | T1565 | Data Manipulation | - |
| enterprise | T1565.001 | Stored Data Manipulation | SUNSPOT created a copy of the SolarWinds Orion software source file with a .bk extension to backup the original content, wrote SUNBURST using the same filename but with a .tmp extension, and then moved SUNBURST using MoveFileEx to the original filename with a .cs extension so it could be compiled within Orion software.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.1 |
| enterprise | T1480 | Execution Guardrails | SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.1 |
| enterprise | T1083 | File and Directory Discovery | SUNSPOT enumerated the Orion software Visual Studio solution directory path.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log.1 |
| enterprise | T1106 | Native API | SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process.1 |
| enterprise | T1027 | Obfuscated Files or Information | SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe process.1 |
| enterprise | T1057 | Process Discovery | SUNSPOT monitored running processes for instances of MsBuild.exe by hashing the name of each running process and comparing it to the corresponding value 0x53D525. It also extracted command-line arguments and individual arguments from the running MsBuild.exe process to identify the directory path of the Orion software Visual Studio solution.1 |
| enterprise | T1195 | Supply Chain Compromise | - |
| enterprise | T1195.002 | Compromise Software Supply Chain | SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 12453 |
References
-
CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. ↩
-
Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. ↩
-
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. ↩
-
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. ↩