SUNBURST is a trojanized dll implanted into recent updates of the SolarWinds Orion platform that created a backdoor into the affected system. It’s unclear how many of SolarWinds’ 300,000 customers’ systems may have been attacked, but it appears the attack stretches back months. But based on the level of sophistication of the attack, it is believed to be an attacker targeting specific government and critical infrastructure organizations as well as businesses with valuable intellectual property.
The SUNBURST exploit is believed to be attributed to a state-sponsored level attacker. It is believed the attackers are targeting valuable intellectual property resources and government intelligence information. The attacker is thought to be focused on organizations in following industries: pharmaceutical research, government intelligence, aerospace, oil and gas, and other critical infrastructure.
The attacker is not thought to be financially motivated by utilizing ransomware or data extortion. As such, there is a low risk of impact for the majority of affected organizations that do not contain data relating to those activities.
West Monroe’s group of cyberattack experts are able to identify if the compromised components have been deployed. The process includes performing an expedited threat hunt with the help of Intellio® Hunt to detect compromise. This proprietary hunt investigates current attack behaviors and provides visibility into past attacker behaviors.
We deploy a 60-day license of Carbon Black to allow us to contain communication from the affected systems and hunt for unusual activity. We’re also able to assist with upgrading patch levels to 2020.2.1 HF 2 once it is made available.