Cyber Incident Victim: SolarWinds

The SolarWinds incident involved a sophisticated supply chain attack initially attributed to suspected Russian government-backed hackers. The attackers compromised SolarWinds' Orion network monitoring software, inserting malware known as Sunburst (or Solorigate) into legitimate software updates distributed to customers. This malicious update functioned as a trojanized installer, enabling initial access to victim networks across corporate and government entities. Once installed, Sunburst established communication with attacker-controlled servers, allowing the download of a secondary payload called Teardrop. This second-stage backdoor facilitated hands-on-keyboard sessions where attackers could conduct further malicious activities directly on compromised systems. Security researchers from Guidepoint, Symantec, and Palo Alto Networks identified additional malware components during forensic investigations, including a .NET web shell named Supernova deployed alongside a PowerShell script called CosmicGale.

Subsequent analysis revealed a second, unrelated threat actor exploiting SolarWinds systems through different methods. Microsoft security researchers determined Supernova was not part of the original Sunburst-Teardrop attack chain but instead resulted from separate exploitation of vulnerabilities such as CVE-2019-8917 in internet-exposed Orion installations. Unlike Sunburst, which used authentic SolarWinds digital certificates to evade detection, Supernova lacked valid code signing—a tactical inconsistency suggesting different perpetrators. The confusion stemmed from both malware families masquerading as Orion DLL files, though their deployment mechanisms and attacker tradecraft differed significantly. Forensic evidence indicated the second actor leveraged Supernova to execute CosmicGale for post-exploitation activities, but this campaign operated independently from the coordinated supply chain compromise attributed to state-sponsored actors.