SolarWinds SUNBURST (also known as SUNBURST, Solorigate) is a campaign / breach active since 2020. SolarWinds supply chain compromise. Key characteristics include: supply chain attack via Orion update, 18K+ organizations affected, APT29/Cozy Bear attribution, SUNSPOT build implant.
Overview & Background
SolarWinds supply chain compromise. First identified in 2020, this threat is attributed to Russia (SVR) / APT29.
SolarWinds SUNBURST remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this campaign / breach.
- Category: Campaign / Breach
- Active since: 2020
- Attribution: Russia (SVR) / APT29
- Also known as: SUNBURST, Solorigate
Technical Analysis
SolarWinds SUNBURST employs the following capabilities and techniques:
- Supply Chain Attack Via Orion Update: Core functionality
- 18K+ Organizations Affected: Core functionality
- Apt29/Cozy Bear Attribution: Core functionality
- Sunspot Build Implant: Core functionality
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Common delivery vector |
| Execution | T1204.002 Malicious File | User-triggered execution |
| Persistence | T1547.001 Registry Run Keys | Autostart persistence |
| Defense Evasion | T1027 Obfuscated Files | Payload obfuscation |
| C2 | T1071.001 Web Protocols | HTTP/HTTPS C2 |
Detection & Defense
- Endpoint detection: Deploy behavioral detection rules for SolarWinds SUNBURST indicators
- Network monitoring: Monitor for C2 traffic patterns and anomalous connections
- Threat intelligence: Track SolarWinds SUNBURST IOCs and campaign updates
- Security awareness: Train users to recognize phishing and social engineering
- Patch management: Keep systems updated to prevent exploitation
Defend Against SolarWinds SUNBURST
Mjolnir Security provides detection and response capabilities against SolarWinds SUNBURST and similar threats.
- Proactive Threat Hunting Hunt for SolarWinds SUNBURST indicators and TTPs within your environment.
- Threat Intelligence Monitor SolarWinds SUNBURST campaigns and infrastructure changes.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts