SolarWinds Sunburst
What is SolarWinds Sunburst?
SolarWinds SunburstA 2020 supply-chain attack in which a backdoor named Sunburst was inserted into SolarWinds Orion updates, compromising US government agencies and global enterprises.
Sunburst is the trojanized backdoor planted inside the SolarWinds Orion IT-management platform between March and June 2020 and discovered by FireEye in December 2020. Attackers compromised SolarWinds's build pipeline and added malicious code to legitimately signed Orion updates, which were then deployed to roughly 18,000 organizations. A subset, including the US Departments of Treasury, Commerce, Justice and Homeland Security, FireEye and Microsoft, received follow-on exploitation via the TEARDROP and Cobalt Strike implants. US authorities attributed the campaign to UNC2452 / APT29 (SVR). The incident drove widespread reform of software supply-chain security, including SBOMs and signed builds.
● Examples
- 01
An Orion server beacons to avsvmcloud.com and receives a second-stage Cobalt Strike payload.
- 02
An agency rebuilds its Orion deployment from clean media and rotates all SAML signing certificates.
● Frequently asked questions
What is SolarWinds Sunburst?
A 2020 supply-chain attack in which a backdoor named Sunburst was inserted into SolarWinds Orion updates, compromising US government agencies and global enterprises. It belongs to the Vulnerabilities category of cybersecurity.
What does SolarWinds Sunburst mean?
A 2020 supply-chain attack in which a backdoor named Sunburst was inserted into SolarWinds Orion updates, compromising US government agencies and global enterprises.
How does SolarWinds Sunburst work?
Sunburst is the trojanized backdoor planted inside the SolarWinds Orion IT-management platform between March and June 2020 and discovered by FireEye in December 2020. Attackers compromised SolarWinds's build pipeline and added malicious code to legitimately signed Orion updates, which were then deployed to roughly 18,000 organizations. A subset, including the US Departments of Treasury, Commerce, Justice and Homeland Security, FireEye and Microsoft, received follow-on exploitation via the TEARDROP and Cobalt Strike implants. US authorities attributed the campaign to UNC2452 / APT29 (SVR). The incident drove widespread reform of software supply-chain security, including SBOMs and signed builds.
How do you defend against SolarWinds Sunburst?
Defences for SolarWinds Sunburst typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SolarWinds Sunburst?
Common alternative names include: UNC2452, Solorigate, Sunburst backdoor.
● Related terms
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- malware№ 080
Backdoor
A covert mechanism that bypasses normal authentication or access controls to give an attacker future entry to a system.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.