SUNBURST

Malware updated 10 days ago (2024-10-08T12:01:05.827Z)
Download STIX
Preview STIX
Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and can steal personal information, disrupt operations, or hold data for ransom. Prominent campaigns such as DarkHydrus, OilRig, xHunt, SUNBURST, and Decoy Dog have leveraged DNS tunneling for command and control (C2), highlighting the shared techniques across these threats. The discovery of the Sunburst malware led to significant challenges for many organizations, including governments around the world. Following the disclosure of IP addresses associated with the Sunburst attackers, organizations had to painstakingly sift through historical data to identify impacted services and any potential interactions with the malware. In July 2024, US District Judge Paul Engelmayer dismissed most of the charges against SolarWinds and Brown, stating that the Securities and Exchange Commission's (SEC) claims that they concealed the firm’s security weaknesses post-Sunburst were based on "hindsight and speculation.” Partners, including in the US, have associated Nobelium, the group behind Sunburst, with APT29, which was also implicated in the 2015 attack against the American Democratic National Committee and the 2020 Sunburst attack targeting SolarWinds products. Following the Sunburst supply chain attack, the Biden administration took measures to bolster the nation’s cybersecurity. Chris DeRusha, federal CISO and deputy national cyber director, and Eric Goldstein, executive assistant director for cybersecurity at CISA, cited Executive Order 14028, which led to these initiatives aimed at ensuring secure development and bolstering government cybersecurity.
Description last updated: 2024-10-08T11:31:47.379Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
SUPERNOVA is a possible alias for SUNBURST. SUPERNOVA is a potent and novel malware, as reported by FireEye during the SolarWinds compromise. It stands out due to its in-memory execution, sophistication in parameters and execution, and flexibility by implementing a full programmatic API to the .NET runtime. This malware compiles parameters on
2
Solorigate is a possible alias for SUNBURST. Solorigate, also known as SUNBURST, is a sophisticated malware that was used in a series of cyberattacks in 2021. The malware was discovered to have been implanted into the SolarWinds Orion software through a supply-chain compromise, which Microsoft initially dubbed as "Solorigate". This allowed the
2
TEARDROP is a possible alias for SUNBURST. Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
2
OilRig is a possible alias for SUNBURST. OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten, is a notorious threat actor linked to numerous malicious activities. The group has been associated with various well-known campaigns such as DarkHydrus, xHunt, SUNBURST, and Decoy Dog, all of which leveraged
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Solarwinds
Malware
Vulnerability
Sec
Exploit
Microsoft
DNS
Tunneling
Fraud
Windows
Vpn
Phishing
Source
Reconnaissance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kazuar Malware is associated with SUNBURST. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 andis related to
6
The Tomiris Malware is associated with SUNBURST. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a TunnuUnspecified
2
The GoldMax Malware is associated with SUNBURST. GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowledUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT29 Threat Actor is associated with SUNBURST. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised Unspecified
3
The NOBELIUM Threat Actor is associated with SUNBURST. Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its persistent and sophisticated cyber-espionage campaigns. Known also by various other names such as APT29, Cozy Bear, Midnight Blizzard, and The Dukes, Nobelium is believed to be operating Unspecified
3
The Turla Threat Actor is associated with SUNBURST. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
Source Document References
Information about the SUNBURST Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
10 months ago
InfoSecurity-magazine
3 months ago
DARKReading
3 months ago
InfoSecurity-magazine
4 months ago
Unit42
5 months ago
DARKReading
6 months ago
CERT-EU
7 months ago
DARKReading
9 months ago
BankInfoSecurity
9 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
DARKReading
10 months ago
MITRE
10 months ago
MITRE
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago