CrowdStrike identified this week a third malware used in the recent attack. Called Sunspot, it was used first. It had one job: watching the build server. When it spotted the build, it would replace source code inside Orion with its own, inserting Sunburst. Also of note, Sunspot was designed to with safeguards to prevent detection. One method – a hash verification check to make sure the hashes matched.
Kaspersky researchers also have linked code similarities between Sunburst and Kazuar backdoors. That’s remote access malware. It suggests a connection between the two.
Hackers operating under the moniker “SolarLeaks” are claiming to sell stolen data from the breaches. Victims supposedly for sale include Microsoft, Cisco, FireEye, and SolarWinds. Microsoft’s code is being offered for $600,000, SolarWinds for $250,000, and FireEye for $50,000. The claims are dubious. Cisco has stated there is no evidence their intellectual property was stolen.
Microsoft President Brad Smith called on governments to be held to a “higher standard”. He also called it a violation of “norms and rules”. Both during a keynote address at CES.
The CISA has stated in new guidance that government systems are being breached using methods besides SolarWinds Orion. This time, they are focusing on SAML tokens being abused.
The finally, JPMorgan has issued stock advice on the company. They’re optimistic. Why? They believe the majority of customers will stay with Orion. This could have happened anywhere, and Orion costs less than the competition.
Why do we care?
I’ve shared my thinking with investors too that I agree with the JP Morgan analyst. SolarWinds can recover.
The more we learn, the more this is an incredibly sophisticated attack. We care to study it. Vendors to learn about how to prevent it, and providers to learn about how it happens and what questions to ask.