SolarStorm

SolarStorm is a threat actor group known for executing actions with malicious intent. Notable among their operations was the 2020 attack on SolarWinds Orion software, which was a sophisticated supply-chain attack that compromised the company's software updates, resulting in malware being served to its customer base. This group has demonstrated a tactical and persistent approach throughout their entire attack cycle. The activities of SolarStorm were traced back to as early as August 2019 during the infrastructure build-out phase of their operation, indicating a high level of planning and execution. In late March, a similar modus operandi was observed in an attack on 3CX, a voice over IP (VOIP) solution. In this incident, previously unknown malicious actors tampered with the company’s software update for its 3CXDesktopApp. The similarity in execution to the SolarStorm attack on SolarWinds suggests a possible link between these threat actors. However, there is still uncertainty about the full range of initial access vectors used by SolarStorm, beyond the already compromised software. SolarStorm is also associated with APT29, a group tracked under various names including UNC3524, NobleBaron, Dark Halo, NOBELIUM, Cozy Bear, and CozyDuke. This group has been known to target embassy entities using various lures, such as a BMW car sale. However, the association of the SUPERNOVA webshell with SolarStorm is now questionable due to the aforementioned .dll not being digitally signed, unlike the SUNBURST .dll. As new information comes to light, cybersecurity firms like Palo Alto Networks continue to update their threat briefs on SolarStorm and SUNBURST, ensuring customers are protected from this evolving threat.