A more updated version of this blog is now available:  https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwi...

By now you may have read from various media coverage regarding a state-sponsored campaign that has compromised SolarWinds “SunBurst/ UNC2452” that lead to the breach of multiple government agencies. 

We are currently analyzing all of the data disclosed on the “Sunburst”/UNC2452 operation and are taking proactive steps to ensure the security of our customers. 

What we know so far:  

Based on our research and details disclosed to this point, this was a highly evasive and carefully planned attack that was orchestrated by a nation-state. The campaign was based on a supply-chain attack that leveraged backdoored SolarWinds update packages to.SolarWinds’s Orion IT monitoring and management software (affected versions are 2019.4 through 2020.2.1 HF1) in order to infiltrate into the target organizations.

The initial backdoor is a DLL named “SolarWinds.Orion.Core.BusinessLayer.dll”

which loads as part of - SolarWinds.BusinessLayerHostx.exe/SolarWinds.BusinessLayerHostx64.exe

Once compromised, it likely lays dormant for 2 weeks and only then activates its malicious payload which allows the threat actor to run the parts of the attack.

While we are continuously analyzing the events and still don’t have all the information on the attack.  At present, we can tell that one of the post-breach modus-operandi of the attacker is to use CobaltStrike beacons and in-memory implants which FortiEDR detects and blocks without prior knowledge or signatures.

That said, this is an on-going investigation and we still don't have the complete details to confirm additional weaponization involved.

We understand that customers that have the vulnerable version of SolarWinds Orion Monitoring products are rightfully concerned.  

Here are steps we are taking on the FortiEDR platform to further ensure the security of the customers:

1. All published IOC were added to our Cloud intelligence and further malicious action will be blocked if

executed on customer systems.

2. FortiEDR team is scanning our Cloud data lake for indicators that may indicate that customers were breached.   We will proactively contact customers that were impacted. 

3. We are using the threat-hunting capabilities in FortiEDR to scan for the relevant files on relevant environments to scan for the published IOC.

4. Our research team is in the process of reconstructing the attack as much as possible in-order to gain more insights and indicators.  We will provide further details as they become available.