As investigations into the SolarWinds supply-chain breach progress, cybersecurity experts have unveiled a third malware variant, identified as “Sunspot.” This new threat targets the build environment, facilitating the injection of a backdoor into SolarWinds’ Orion network monitoring software. This marks an alarming addition to previously disclosed malware, notably Sunburst and Teardrop.
Sudhakar Ramakrishna, SolarWinds’ CEO, has emphasized the sophistication of Sunspot, stating that the code was meticulously crafted to introduce Sunburst malware into the Orion Platform without alerting development teams. Initial evidence suggests that the cybercriminals behind this espionage campaign compromised SolarWinds’ build and code-signing infrastructure as early as October 2019, extending the timeline of malicious activities back to September 4, 2019 — a critical date marking the first breach intended to deploy Sunspot.
According to Crowdstrike’s analysis, Sunspot functions by monitoring processes that involve the compilation of the Orion product. When running, it replaces a source file to embed Sunburst backdoor code, effectively hijacking the Orion build workflow. The malware, operating under the filename “taskhostsvc.exe,” grants itself debugging privileges, allowing it to manipulate the build process and insert malicious code stealthily into the software during its construction.
The updates to the Orion Platform released in October 2019 notably included changes aimed at testing the ability to embed code into builds, echoing prior reports from ReversingLabs. Crowdstrike has categorized this intrusion as “StellarParticle,” drawing attention to its significant implications for cybersecurity in the corporate landscape.
In a related finding, researchers at Kaspersky have noted a potential connection between Sunburst and Kazuar, a malware associated with Russia’s Turla state-sponsored cyber-espionage unit. While these similarities have been acknowledged, Kaspersky has cautioned against making definitive conclusions, suggesting that the overlaps could have been purposefully engineered to mislead investigation efforts regarding attribution.
Despite the uncertainties surrounding these connections, U.S. officials have attributed the Solorigate operation to an adversary likely linked to Russian interests, further escalating concerns among business leaders regarding the risks posed by foreign cyber threats. The tactics observed in these attacks suggest various MITRE ATT&CK framework techniques may have been employed, including initial access through compromised build infrastructure, persistence via implanted backdoors, and privilege escalation through debugging access.
As the cybersecurity landscape continues to evolve, this incident serves as a critical reminder for tech-savvy professionals and business owners to remain vigilant against potential threats. With the growing sophistication of cyber adversaries, understanding and preparing against such attacks becomes increasingly vital for safeguarding sensitive information and maintaining operational integrity.
