Background
In December 2020, news of the SolarWinds incident took the world by storm. While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. It is believed that when FireEye discovered the first traces of the campaign, the threat actor (DarkHalo aka Nobelium) had already been working on it for over a year. Evidence gathered so far indicates that DarkHalo spent six months inside OrionIT’s networks to perfect their attack and make sure that their tampering of the build chain wouldn’t cause any adverse effects.
The first malicious update was pushed to SolarWinds users in March 2020, and it contained a malware named Sunburst. We can only assume that DarkHalo leveraged this access to collect intelligence until the day they were discovered. The following timeline sums up the different steps of the campaign:
Kaspersky’s GReAT team also investigated this supply-chain attack, and released two blog posts about it:
In December 2020, we analyzed the DNS-based protocol of the malicious implant and determined it leaked the identity of the victims selected for further exploitation by DarkHalo.
One month later, we discovered interesting similarities between Sunburst and Kazuar, another malware family linked to Turla by darkhalo after solarwinds tomiris connection
