Supernova Malware Suggests Second Actor in SolarWinds Cyberattack

Share this post
Share on twitter
Share on facebook
Share on email
Share on linkedin

Back in December 2020, the SolarWinds cyberattack blew up with FireEye’s statements on the hack. Since then, it has been publicly shared that a single, Russia-based actor was responsible for the large-scale attack which damage we are still measuring.

However, new evidence suggests that there probably was a second yet unrelated actor targeting, with great success, SolarWinds’ infrastructure.

Early findings showed that the Sunburst backdoor was used to successfully hack SolarWinds Orion’s platform. Alongside the reports, we could find the name “Supernova”, referring to a piece of malware also used in the attack.

Yet, now we are moving towards understanding more and more of this cyberattack, it has become apparent that the Supernova malware was not directly related to the Sunburst backdoor, instead suggesting that this was another instance of the attack, carried out by other agents.

Bigger and Worse

As suggested before, it will take a long time for the public to understand the real implications and consequences of this cyberattack. It is already causing shockwaves politically and economically. So, it was predictable that new findings would suggest damages of an increasingly bigger magnitude.

The findings related to the Supernova malware are exactly this.

Major authorities in this case such as FireEye, Microsoft, and Palo Alto Networks now agree that the use of Supernova malware belongs to an additional threat agent not included in the equation before.

While both the Sunburst backdoor exploit and the Supernova malware target Orion’s platform, the latest statements indicate that multiple, unrelated players were involved.

Zero-Day Flaw

The Supernova malware exploited a zero-day flaw in Orion’s platform known as CVE-2020-10148, now patched according to SolarWinds. This flaw allowed Supernova to bypass authentication, allowing the malicious agent to execute API commands.

SolarWinds made a public statement on the Supernova malware, saying that “Supernova is not a malicious code embedded within the builds of our Orion Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.”

Silent Authorities

While private parties are actively investigating the SolarWinds cyberattacks, US officials are still quiet about the case. It’s widely believed, at least according to current evidence and only referring to the Sunburst backdoor exploit, that the cyberattack was carried out by Russian state-sponsored agents. Besides what private parties have shared so far, there has been no public discussion coming from US authorities.

Regarding the Supernova malware, even less has been shared. Leading authorities in the case have not stated if the threat group behind this malware is also Russia-backed but we could expect more details on this soon.

President Trump has addressed the cyberattack in a limited fashion and suggested that China-backed actors may be behind the attack instead of Russian ones. Nonetheless, we can rest assured that we will know plenty more details in the following months as organizations involved in the investigation find more evidence and geopolitical developments take place.

Share on twitter
Share on facebook
Share on email
Share on linkedin

More Articles by Julie Security

Juliesecurity Logo

Download a sample report

The best way to understanding our value is to see it with your own eyes. A risk assessment report is a powerful tool helping mitigate cybersecurity vulnerabilities.

Welcome to Julie Security

Map your OT and IoT assets. Monitor your networks. Protect your facility from cyber attacks. Do it with Julie Security Intrusion Detection Platform.

By clicking the “Sign Up” button, you are creating a Julie Security account, and you agree to the
Terms of Use and Privacy Policy.