Back in December 2020, the SolarWinds cyberattack blew up with FireEye’s statements on the hack. Since then, it has been publicly shared that a single, Russia-based actor was responsible for the large-scale attack which damage we are still measuring.
However, new evidence suggests that there probably was a second yet unrelated actor targeting, with great success, SolarWinds’ infrastructure.
Early findings showed that the Sunburst backdoor was used to successfully hack SolarWinds Orion’s platform. Alongside the reports, we could find the name “Supernova”, referring to a piece of malware also used in the attack.
Yet, now we are moving towards understanding more and more of this cyberattack, it has become apparent that the Supernova malware was not directly related to the Sunburst backdoor, instead suggesting that this was another instance of the attack, carried out by other agents.
Bigger and Worse
As suggested before, it will take a long time for the public to understand the real implications and consequences of this cyberattack. It is already causing shockwaves politically and economically. So, it was predictable that new findings would suggest damages of an increasingly bigger magnitude.
The findings related to the Supernova malware are exactly this.
Major authorities in this case such as FireEye, Microsoft, and Palo Alto Networks now agree that the use of Supernova malware belongs to an additional threat agent not included in the equation before.
While both the Sunburst backdoor exploit and the Supernova malware target Orion’s platform, the latest statements indicate that multiple, unrelated players were involved.
The Supernova malware exploited a zero-day flaw in Orion’s platform known as CVE-2020-10148, now patched according to SolarWinds. This flaw allowed Supernova to bypass authentication, allowing the malicious agent to execute API commands.
SolarWinds made a public statement on the Supernova malware, saying that “Supernova is not a malicious code embedded within the builds of our Orion Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.”
While private parties are actively investigating the SolarWinds cyberattacks, US officials are still quiet about the case. It’s widely believed, at least according to current evidence and only referring to the Sunburst backdoor exploit, that the cyberattack was carried out by Russian state-sponsored agents. Besides what private parties have shared so far, there has been no public discussion coming from US authorities.
Regarding the Supernova malware, even less has been shared. Leading authorities in the case have not stated if the threat group behind this malware is also Russia-backed but we could expect more details on this soon.
President Trump has addressed the cyberattack in a limited fashion and suggested that China-backed actors may be behind the attack instead of Russian ones. Nonetheless, we can rest assured that we will know plenty more details in the following months as organizations involved in the investigation find more evidence and geopolitical developments take place.