SolarStorm

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
SolarStorm is a threat actor group known for executing actions with malicious intent. Notable among their operations was the 2020 attack on SolarWinds Orion software, which was a sophisticated supply-chain attack that compromised the company's software updates, resulting in malware being served to its customer base. This group has demonstrated a tactical and persistent approach throughout their entire attack cycle. The activities of SolarStorm were traced back to as early as August 2019 during the infrastructure build-out phase of their operation, indicating a high level of planning and execution. In late March, a similar modus operandi was observed in an attack on 3CX, a voice over IP (VOIP) solution. In this incident, previously unknown malicious actors tampered with the company’s software update for its 3CXDesktopApp. The similarity in execution to the SolarStorm attack on SolarWinds suggests a possible link between these threat actors. However, there is still uncertainty about the full range of initial access vectors used by SolarStorm, beyond the already compromised software. SolarStorm is also associated with APT29, a group tracked under various names including UNC3524, NobleBaron, Dark Halo, NOBELIUM, Cozy Bear, and CozyDuke. This group has been known to target embassy entities using various lures, such as a BMW car sale. However, the association of the SUPERNOVA webshell with SolarStorm is now questionable due to the aforementioned .dll not being digitally signed, unlike the SUNBURST .dll. As new information comes to light, cybersecurity firms like Palo Alto Networks continue to update their threat briefs on SolarStorm and SUNBURST, ensuring customers are protected from this evolving threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dark Halo
1
Dark Halo, a cyber threat actor identified by cybersecurity company Volexity, has been linked to several significant cyber attacks. This group initially gained notoriety for its exploitation of the SolarWinds Orion software in June and July 2020, which resulted in a major breach of the targeted orga
APT29
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Solarwinds
3cx
Exploit
Webshell
Phishing
Malware
Atom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SUNBURSTUnspecified
1
Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
SUPERNOVAUnspecified
1
SUPERNOVA is a potent and novel malware, as reported by FireEye during the SolarWinds compromise. It stands out due to its in-memory execution, sophistication in parameters and execution, and flexibility by implementing a full programmatic API to the .NET runtime. This malware compiles parameters on
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SolarStorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
2 months ago
Leveraging DNS Tunneling for Tracking and Scanning
Unit42
9 months ago
Understanding DNS Tunneling Traffic in the Wild
CERT-EU
8 months ago
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies
MITRE
a year ago
SUPERNOVA: A Novel .NET Webshell
CERT-EU
a year ago
The Week in Security: 3CX attackers identified as North Korean, CISA pushes Secure by Design
MITRE
7 months ago
SolarStorm Supply Chain Attack Timeline