SUNBURST

Malware Profile Updated a month ago
Download STIX
Preview STIX
Sunburst is a sophisticated malware that infiltrated SolarWinds' Orion platform, causing significant cybersecurity concerns. The malware was linked to Kazuar due to code resemblance, indicating its high level of complexity. The Sunburst campaign was exposed in December 2020 by cybersecurity firm FireEye, revealing that the malware had been present in SolarWinds' internal systems since January 2019. It exploited unremediated VPN vulnerabilities and remained undetected for nearly two years. This resulted in a major cyberattack, compromising as many as 18,000 customers, including federal agencies and large corporations. The Sunburst attack employed DNS tunneling techniques for command and control (C2), a method also used by other well-known campaigns such as DarkHydrus, OilRig, xHunt, and Decoy Dog. Following the revelation of the Sunburst campaign, SolarWinds promptly disclosed the key facts known about the attack and its severity and cooperated with investigations led by the FBI and U.S. intelligence community. Despite this response, the incident has raised questions about the company's security practices and disclosures leading up to the attack, dating back to their initial public offering in October 2018. In the aftermath of the Sunburst supply chain attack, federal officials have taken measures to bolster the nation’s cybersecurity. Executive Order 14028 led to a series of actions designed to enhance government cybersecurity. However, the Cybersecurity Safety Review Board (CSRB), created following the Sunburst attack, has not yet investigated the incident, which is considered one of the most consequential cybersecurity incidents in U.S. history. Meanwhile, echoes of the Sunburst attack continue to be felt in subsequent cybersecurity incidents, underscoring the ongoing threat posed by sophisticated malware attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Solorigate
2
Solorigate, also known as SUNBURST, is a sophisticated malware that was used in a series of cyberattacks in 2021. The malware was discovered to have been implanted into the SolarWinds Orion software through a supply-chain compromise, which Microsoft initially dubbed as "Solorigate". This allowed the
TEARDROP
2
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
SUPERNOVA
2
SUPERNOVA is a potent and novel malware, as reported by FireEye during the SolarWinds compromise. It stands out due to its in-memory execution, sophistication in parameters and execution, and flexibility by implementing a full programmatic API to the .NET runtime. This malware compiles parameters on
OilRig
2
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
DarkHydrus
1
DarkHydrus is a notable threat actor known for executing malicious activities. The group has been associated with several well-known campaigns including DarkHydrus, OilRig, xHunt, SUNBURST, and Decoy Dog. These campaigns have leveraged DNS tunneling for Command and Control (C2) communications, a tec
xHunt
1
The xHunt campaign is a series of related cyber activities with a unified goal, similar to other well-known campaigns such as DarkHydrus, OilRig, SUNBURST, and Decoy Dog. These campaigns are known for their use of DNS tunneling for command and control (C2) communications, a method which allows data
SUNSPOT
1
Sunspot is a sophisticated and novel malware associated with the SolarWinds intrusion that occurred in December 2020. This malicious software, linked to COZY BEAR (also known as APT29 or "The Dukes"), infiltrates systems undetected, often through suspicious downloads, emails, or websites. Once insid
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Solarwinds
Microsoft
Exploit
Vulnerability
Vpn
Windows
Phishing
Reconnaissance
Fraud
Sec
Espionage
State Sponso...
xHunt
Payload
Proxy
Antivirus
Azure
Teamcity
Linux
CISA
Remote Code ...
Log4j
Ransomware
Webshell
Outlook
Trojan
Loader
Cobalt Strike
Implant
exploitation
Beacon
Github
Pypi
Apt
Moveit
Malwarebytes
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Kazuaris related to
6
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
TomirisUnspecified
2
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
GoldMaxUnspecified
2
GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowled
Decoy DogUnspecified
1
Decoy Dog is a notorious malware that utilizes DNS tunneling for Command and Control (C2) operations, similar to well-known campaigns like DarkHydrus, OilRig, xHunt, and SUNBURST. This malware uses the underlying tunneling tool Pupy, which applies the character '9' as padding when encoding data. Fir
MamadogsUnspecified
1
None
CrimsonboxUnspecified
1
None
RaindropUnspecified
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
SunshuttleUnspecified
1
Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connect
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
2
Turla, also known as Pensive Ursa, is a Russia-sponsored threat actor that has been active since at least 2004. This group targets diplomatic and government organizations, private businesses, and non-governmental organizations (NGOs), especially those with connections to supporting Ukraine. Turla op
APT29Unspecified
2
APT29, also known as Midnight Blizzard and CozyBear, is a Russia-linked threat actor known for executing actions with malicious intent. This group has been involved in several high-profile cyber attacks, exploiting vulnerabilities in software and systems to compromise their targets. APT29 has utiliz
NOBELIUMUnspecified
2
Nobelium, a threat actor also known as Midnight Blizzard and Cozy Bear, is a Russian state-sponsored entity notorious for executing actions with malicious intent. Known for its sophisticated methods, Nobelium uses a tool called FoggyWeb to remotely exfiltrate the configuration database of compromise
PensiveUnspecified
1
Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pen
Pensive UrsaUnspecified
1
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
SolarStormUnspecified
1
SolarStorm is a threat actor group known for executing actions with malicious intent. Notable among their operations was the 2020 attack on SolarWinds Orion software, which was a sophisticated supply-chain attack that compromised the company's software updates, resulting in malware being served to i
UNC2452Unspecified
1
UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a
StellarParticleUnspecified
1
StellarParticle, a threat actor associated with the COZY BEAR adversary group, has been identified as a significant cybersecurity risk by CrowdStrike. StellarParticle is known for its extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and it has
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
1
Log4Shell, a critical vulnerability in the logging feature of the Java programming language, also known as Log4j, was publicly disclosed on December 9th. This software flaw affected millions of devices and applications globally, including those in Estonia. The vulnerability, officially designated as
Source Document References
Information about the SUNBURST Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Security Advisory | SolarWinds
MITRE
a year ago
New Findings From Our Investigation of SUNBURST
MITRE
a year ago
SUNSPOT Malware: A Technical Analysis | CrowdStrike
MITRE
a year ago
Raindrop: New Malware Discovered in SolarWinds Investigation
MITRE
6 months ago
SolarStorm Supply Chain Attack Timeline
MITRE
a year ago
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft Security Blog
MITRE
a year ago
Tomiris backdoor and its connection to Sunshuttle and Kazuar
Contagio
a year ago
2020-12-13 SUNBURST SolarWinds Backdoor samples
CERT-EU
7 months ago
SEC's Charges Against SolarWinds and Its CISO Highlight Emerging Risks for Public Companies, Security Professionals
MITRE
a year ago
SUPERNOVA: A Novel .NET Webshell
MITRE
a year ago
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | Mandiant
CERT-EU
7 months ago
SolarWinds: SEC lacks 'competence' to regulate cybersecurity
CERT-EU
7 months ago
SEC Sues SolarWinds for Misleading Investors on Product Risks -- Redmondmag.com
CERT-EU
7 months ago
SEC charges SolarWinds and CISO with securities fraud and control failures
MITRE
a year ago
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 | Mandiant
CERT-EU
7 months ago
A New Frontier for SEC Cybersecurity Enforcement? The SEC Charges SolarWinds and its CISO with Securities Fraud
CERT-EU
7 months ago
SEC Charges SolarWinds and CISO with Fraud and Internal Controls Failures
DARKReading
7 months ago
Upgraded Kazuar Backdoor Offers Stealthy Power
CERT-EU
7 months ago
The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies
CERT-EU
7 months ago
SolarWinds CISO Sued for Fraud by US SEC