UNC2452 is a suspected Russian state-sponsored APT group behind the 2020 SolarWinds software supply chain attack.
The group compromised a build system and signing infrastructure of a network monitoring and management software by SolarWinds named Orion and deliver a trojanized update to over 18,000 customers. The victims included around 80% of the Fortune 500, giant corporations like Microsoft, Cisco, Intel, Nvidia, Belkin, FireEye, Deloitte—as well as numerous US government departments and agencies and other organizations in North America, Europe, Asia, and the Middle East. The group also compromised at least one think tank by late 2019.
Artifacts from the investigation confirmed that the source code of the Orion update was directly modified to include the SUNBURST backdoor, which was digitally signed and delivered through the company’s legitimate software release system.
The Initial Access was not reported and could be a result of a public-facing FTP server and leaked credentials. Other reports refer to the exploitation of the CI/CD tool TeamCity by JetBrains, used for by developers all over the world.
The group also managed to access other victims through vendor access and other means and compromised a certificate by Mimecast to intercept traffic and access sensitive information.
Associated Group Descriptions
|Enterprise||VT0011||.001||Account Manipulation: Additional Cloud Credentials|
|Enterprise||VT0021||Credentials from Password Stores|
|Enterprise||VT0007||.003||Develop Capabilities: Malware||
UNC2452 developed SUNSPOT, SUNBURST, Teardrop, and Raindrop; SUNSPOT was tailored to inject SUNBURST into a the source code of SolarWind's Orion software update and was digitally signed by SolarWinds.
|Enterprise||VT0003||Exploit Public-Facing Application|
UNC2452 set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure.
|Enterprise||VT0016||.002||Subvert Trust Controls: Code Signing||
UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificate by replacing one of the source code files of the Orion software during build runtime. SUNBURST replaced a legitimate file by another tool existed on the build system SUNSPOT.
|Enterprise||VT0004||.002||Supply Chain Compromise: Compromise Software Supply Chain|
|Enterprise||VT0017||.004||Unsecured Credentials: Private Keys|
- Venafi, SolarWinds: Anatomy of a Supersonic Supply Chain Attack
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
- MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
Created: 17 February 2021
Last Modified: 16 March 2021