SUNBURST is a supply chain attack that takes advantage of a backdoor implanted in a supplier to target and compromise organizations indirectly around the globe. Orion, the SolarWinds software that was compromised by criminals, was used by about 33,000 public and private customers. Many of them were Fortune 500 companies and federal government agencies. The attack was discovered in December 2020, eight months after the original breach. It impacted U.S. government agencies, technology companies and countries including Canada, Belgium, Britain and Israel.
SUNBURST: The big picture
The SUNBURST supply chain attack uses the following workflow grouped into six main steps, also described by Cynet in its website.
1. Dribbling security appliances
This piece of malware was delivered in the form of a Windows DLL file (SolarWinds.Orion.Core.BusinessLayer.dll), implanted on the SolarWinds update package. The backdoored package was delivered to SolarWinds customers. As the package was digitally signed by SolarWinds, it is seen as trusted software and deployed in their internal networks, bypassing EDR systems and antivirus by default. The problem starts at this point, and criminals, knowing the typical modus operandi of antivirus software, are using this approach to disseminate malware in the wild.
Criminals were able to modify the software and