Network monitoring firm SolarWinds has published further analysis on how its Orion platform was compromised and abused to hack the United States Treasury and other government agencies, along with IT companies like Microsoft and security vendor FireEye.
Working with management consultants KPMG, law firm DLA Piper, and security firm CrowdStrike, SolarWinds has been able to establish how and when the malicious SUNBURST backdoor was inserted into the build process for the Orion plug-in.
Calling it a "highly sophisticated and complex malware designed to circumvent threat detection", SolarWinds, KPMG and CrowdStrike reverse-engineered the SUNBURST code.
The analysis shows that the attackers used another piece of malware, named SUNSPOT, to insert code into Orion that has been carefully crafted not to be detected by SolarWinds developers viewing the source, or through compilation time warnings during the build process.
SUNSPOT, too, was carefully designed to avoid detection when running.
The attackers went to considerable effort over a long period of time to ensure that their malware could be implanted into Orion.
This included gaining access to SolarWinds as early as September 2019, and running test code until November the same year, to ensure that the hack would go smoothly and unnoticed.
The actual attack that resulted in SolarWinds customers being compromised started on February 2 2020, with the threat actors compiling and deploying SUNBURST.
SUNBURST was removed from SolarWinds' environment by the attackers in June 2020.
It wasn't until December 12 last year, however, when SolarWinds was notified by security vendor FireEye, that the sophisticated suplly chain attack was identified.
As part of the investigation into the hack, SolarWinds identified two customer support incidents in November and then December that the company believes were related to SUNBURST, but not identified as such.
Unlike the US government which has officially pinned the blame for the attack on Russian state sponsored hackers, SolarWinds says its investigation has to date not been able to verify the identity of the threat actors.
Since the attackers managed the intrusion through multiple servers in the US, and mimicked legitimate network traffic, SolarWinds says they were able to avoid threat detection.