Microsoft and cybersecurity firm FireEye has identified three new malware used by SolarWinds hackers in their last year’s attack on highly critical private and government cyberinfrastructure in the United States.
According to FireEye and Microsoft’s latest analysis, the SolarWinds hack was far more sinister than it initially appeared to be.
Reportedly, the companies have discovered three more malware strains linked with the alleged Russian threat actor previously reported as Solarigate and now renamed Nobelium by Microsoft and UNC2542 by FireEye.
The attackers breached SolarWinds’ Orion software and, using its update, launched targeted attacks against federal agencies and many high-profile organizations.
Sunshuttle, GoldFinder, and Sibot malware
One of the three strains was identified by FireEye, which dubbed it Sunshuttle. The other two were discovered by Microsoft and were named GoldFinder and Sibot, while it referred to FireEye’s Sunshuttle as GoldMax.
GoldMax or Sunshuttle are backdoors, whereas Sibot is a dual-purpose malware, and GoldFinder is also malware.
However, the two firms discovered the malware strains in overlapping time frames. Microsoft identified active strains between August and September, but the company believes that the systems were compromised as early as June 2020.
FireEye claims that Sunshuttle was uploaded on a public malware repository in August last year.
SolarWinds Hack a Work of Sophisticated Actors
According to Microsoft, the strains are linked to previously discovered SolarWinds hacking tools called Sunburst and Teardrop. The new malware strains exhibit strains that further strengthen the assumption that the SolarWinds hack was the act of highly sophisticated actors.
The threat actors used the strains to maintain persistence and execute specific actions on the targeted networks after compromising them. These strains exhibit exceptionally sophisticated detection evasion techniques and stealthiness.
“They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions,” Microsoft researchers explained.
On the other hand, FireEye couldn’t confirm the link of Sunshuttle with the SolarWinds hackers as it was discovered in the network of one of the victims of SolarWindows hackers. Nevertheless, the company also believes that Sunshuttle is a very sophisticated ‘second-stage backdoor,’ having decent detection evading capabilities.