Search
Close this search box.

SolarWinds SUNBURST Backdoor DGA and Infected Domain Analysis

Firewall Traffic Analysis
On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and trojanized SolarWinds Orion business software updates in order to distribute backdoor malware called SUNBURST. Because of the popularity of SolarWinds, the attacks have affected multiple government agencies and many Fortune 500 companies. It also appeared in the recent CISA Emergency Directive 20-01

We analyzed decoded DGA domains from SUNBURST and found 165 unique domains that were affected by the backdoor malware. Some of them might be victims, and some of them might relate to security detection or analysis such as sandboxing. We found the affected domains span across different types of organizations (including information technology, public administration, education, and finance and insurance etc.) and belong to 25 different countries (spanning to all the continents except Antarctica). 

1.0 Introduction to SolarWinds Orion Supply Chain Compromise

As mentioned in the FireEye report, the SolarWinds might be attacked by a nation-state threat actor. But which one remains a mystery. Some news articles conjecture it is related to APT29 or Cozy Bear, a Russian hacker group, and the detailed evidence is not revealed. 

According to SaveBreach, Security Researcher Vinoth Kumar discovered a password that belongs to SolarWinds update server has been leaked to Github since 2018. It is unclear whether the attackers have utilized the weak password in the attacks, but it shows the weakness of SolarWinds security posture. 

In a report filed by SolarWinds to SEC, SolarWinds’s emails through Office 365 might have been compromised and “may have provided access to other data contained in the Company’s office productivity tools.”. 

SolarWinds said as many as 18,000 of its high-profile customers might have installed a tainted version of its Orion products.

2.0 SUNBURST DGA algorithm and communication