SolarStorm

SolarStorm is a threat actor known for its execution of actions with malicious intent, as evidenced by its involvement in software supply-chain attacks. This group, also tracked under different names such as APT29, UNC3524, NobleBaron, Dark Halo, NOBELIUM, Cozy Bear, and CozyDuke, has been particularly active in targeting embassy entities using various lures, including BMW car sales. The cybersecurity industry recognizes SolarStorm for its tactical and persistent methods of operation throughout the entire attack cycle. In 2020, SolarStorm was implicated in a significant attack on SolarWinds Orion software, demonstrating their capacity to compromise and manipulate software supply chains. In March, a similar attack was discovered targeting 3CX, a voice over IP (VOIP) solution. In this instance, unknown malicious actors tampered with a software update for the 3CXDesktopApp, resulting in malware being served to the company's customer base. These incidents highlight the sophisticated nature of SolarStorm's operations and the potential risks they pose to digital infrastructure. However, there are some uncertainties regarding SolarStorm's activities. For example, the association between the SUPERNOVA webshell and the SolarStorm actors is questionable due to differences in digital signatures. Furthermore, while it is clear that SolarStorm is capable of utilizing various techniques to accomplish their goals, details on initial access vectors beyond the compromised SolarStorm software have not yet been confirmed. As new information emerges, Palo Alto Networks continues to monitor and protect against this threat, updating their Threat Brief on SolarStorm and SUNBURST accordingly.