⚠️ Overview

SUNBURST is a sophisticated backdoor trojan first discovered in December 2020 by FireEye during the investigation of the SolarWinds supply chain attack. It is attributed to the Russian state-sponsored threat group APT29 (also tracked as Cozy Bear or Nobelium, per MITRE ATT&CK group G0016). Developed as a trojanized software update, SUNBURST operates as a stealthy remote access trojan designed for long-term espionage.

🔧 Technical Capabilities

SUNBURST propagates by infecting the legitimate SolarWinds Orion software build pipeline, inserting malicious code into signed DLLs (specifically SolarWinds.Orion.Core.BusinessLayer.dll). Once installed, it establishes command-and-control (C2) communication via HTTP using a custom beaconing mechanism that mimics Orion’s legitimate API traffic, as documented in FireEye’s December 2020 report. The malware employs multiple evasion techniques: it sleeps for up to two weeks before initiating C2 contact, uses obfuscated domain names (e.g., avsvmcloud[.]com), and performs house-cleaning scripts to remove forensic evidence after executing reconnaissance commands. Persistence is achieved through the Orion service itself, making removal without breaking the legitimate application difficult. C2 traffic is encrypted with a custom variant of the RC4 algorithm and uses DNS-over-HTTPS for resilience.

📜 History & Notable Incidents

SUNBURST first appeared in March 2020 when threat actors compromised the SolarWinds Orion update server. The campaign affected approximately 18,000 organizations, with a highly targeted subset of fewer than 100 victims receiving active post-exploitation payloads. High-profile victims include the U.S. Departments of Treasury, Commerce, Homeland Security, and State, as well as technology firms Microsoft, FireEye, and CrowdStrike. No CVEs were directly exploited in SUNBURST itself; the attack leveraged a trusted supply chain relationship, classified under MITRE ATT&CK technique T1195 (Supply Chain Compromise). Law enforcement actions include U.S. sanctions imposed in April 2021 against entities linked to the attack.

🔍 Detection Indicators

Known file hashes include SHA256 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe859d6 (for the trojanized DLL) and 32519b85c0b422e4656c54b01d5c1652 (MD5) as verified in the U.S. CISA advisory. Network indicators of compromise (IOCs) include domains such as avsvmcloud[.]com, digitalcollege[.]com, and apps-identitymicrosoft[.]com. Behavioral indicators: the malware creates a placeholder file %WINDIR%System32driversetchosts as an evasion marker and uses User-Agent strings mimicking Orion’s HTTP library. Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall may show modified SolarWinds entries.

☠️ Risk & Impact

SUNBURST primarily enables data exfiltration and long-term espionage, allowing attackers to steal sensitive government and corporate data, including email archives, source code, and intellectual property. The U.S. Government Accountability Office estimated the financial impact across affected agencies exceeded $100 million in remediation costs. Sectors most affected: government, defense, telecommunications, and critical infrastructure.

🛡️ Mitigation

Mitigation requires applying SolarWinds Orion patches (versions 2020.2.1 HF2 and later) and rotating credentials for all affected systems. Organizations should deploy detection rules from the U.S. CISA Emergency Directive 21-01, which includes monitoring for anomalous DNS queries to known SUNBURST C2 domains, and implement network segmentation to limit lateral movement. Tools such as Microsoft 365 Defender and FireEye’s SUNBURST-specific YARA rules are recommended for ongoing monitoring.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.