As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company’s Orion network monitoring platform.
Called “Sunspot,” the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop.
“This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams,” SolarWinds’ new CEO Sudhakar Ramakrishna explained.
While preliminary evidence found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first breach of SolarWinds network on September 4, 2019 — all carried out with an intent to deploy Sunspot.
“Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code,” Crowdstrike researchers said in a Monday analysis.
Crowdstrike is tracking the intrusion under the moniker “StellarParticle.”
Once installed, the malware (“taskhostsvc.exe”) grants itself debugging privileges and sets about its task of hijacking the Orion build workflow by monitoring running software processes on the server, and subsequently replace a source code file in the build directory with a malicious variant to inject Sunburst while Orion is being built.
The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators’ ability to insert code into our builds,” Ramakrishna said, echoing previous reports from ReversingLabs.
The development comes as Kaspersky researchers found what appears to be a first potential connection between Sunburst and Kazuar, a malware family linked to Russia’s Turla state-sponsored cyber-espionage outfit.
The cybersecurity firm, however, refrained from drawing too many inferences from the similarities, instead suggesting that the overlaps may have been intentionally added to mislead attribution.
While the similarities are far from a smoking gun tying the hack to Russia, U.S. government officials last week formally pinned the Solorigate operation on an adversary “likely Russian in origin.”