A Summary of FireEye’s Detailed Analysis on the SUNBURST Malware

The Malware Used in the Trojanized SolarWinds Orion Update

Backdoor: “An undocumented way of gaining access to a computer system.”

Hello, Reader! In this article, I will give a high-level summary of FireEye’s detailed report on the SUNBURST malware — the malware used as the payload for the trojanized update that was rolled out for SolarWind’s Orion software. Before diving into the inner workings of the malware, let’s discuss how this malware was distributed to thousands of SolarWind’s Orion customers via a supply chain attack.

The SolarWind’s Supply Chain Attack

The hackers (currently being tracked as UNC2452 by FireEye) behind SolarWind’s supply chain attack compromised the update servers responsible for storing and distributing the updates for SolarWind’s Orion software product. The successful compromise of the update server’s allowed the adversaries to quickly spread their trojanized updates to thousands of SolarWind’s Orion customers. And because these updates were digitally signed with a SolarWind’s certificate signed by Symantec, which sold its certificate authority business to DigiCert back in 2018, there were very few chances that detection tools would flag this update as malicious…