Solorigate

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Solorigate, also known as SUNBURST, is a sophisticated malware that was used in a series of cyberattacks in 2021. The malware was discovered to have been implanted into the SolarWinds Orion software through a supply-chain compromise, which Microsoft initially dubbed as "Solorigate". This allowed the attackers to breach government agencies and high-profile companies by exploiting misconfigurations in Microsoft's Active Directory Federation Services among other methods for espionage purposes. The complex attack chain involved a handover from the Solorigate DLL backdoor to the Cobalt Strike loader, a component yet to be fully understood. Microsoft has published multiple reports detailing the activity related to this attack campaign, including an analysis of the compromised DLL file that initiated the cyberattack. In addition, Microsoft has provided guidance for their customers on protecting themselves against such attacks. Advanced Hunting Queries (AHQ) related to Solorigate were made available in Microsoft's AHQ repository on GitHub to help locate possible exploitation activity. Recommendations for hardening networks against Solorigate and similar sophisticated cyberattacks have also been outlined. The disclosure of the Solorigate attack led to extensive investigations, providing more details and intelligence that were used to improve existing detections and build new ones. Security operations teams can refer to Microsoft's comprehensive guide on detecting and investigating Solorigate. Alerts were raised by Microsoft Defender for Endpoint on Solorigate-related malicious activity as early as June 2020. Forensic analysis of known cases with malicious activity occurring between May and November 2020 revealed relevant alerts generated by Microsoft Defender for Endpoint and Microsoft Defender for Identity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
SUNBURST
2
Sunburst is a highly sophisticated malware that infiltrated the SolarWinds Orion platform, an event that came to light in late 2020. The malware was embedded into the system as early as January 2019, evading detection for almost two years. The campaign was attributed to Russia's Foreign Intelligence
TEARDROP
1
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
Raindrop
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Backdoor
Malware
Loader
Cobalt Strike
Solarwinds
exploitation
Github
Azure
Exploit
Beacon
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Solorigate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Russian Espionage Group Tapped Microsoft Corporate E-Mails -- Redmondmag.com
MITRE
7 months ago
SolarStorm Supply Chain Attack Timeline
CERT-EU
a year ago
SBOM Executive Order: Ready for the June 11th deadline?
MITRE
a year ago
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft Security Blog