A third malware strain has been discovered in the SolarWinds Supply Chain Attack has been identified by CrowdStrike, and it sheds some light on how hackers compromised the SolarWinds Orion app build process.
Named Sunspot, this finding adds to the previously discovered Sunburst and Teardrop malware strains. While Sunspot is the latest discovery, there is evidence that it was the first one used, actually going back to September 2019, when cyber criminals first breached SolarWinds internal network.
Sunspot was placed on a build server, and its purpose was to simply watch the build server for build commands that assembled Orion. Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
The trojanized Orion clients eventually made their way to one of SolarWinds official update servers and were installed globally. Sunburst would activate inside the internal networks of businesses and governments and would collect data on its victims and send the information back to the cyber criminals via a DNS request. If the threat actors decided a victim was important enough to compromise, the more powerful Teardrop backdoor trojan would be deployed or instruct the Sunburst malware to delete itself from networks deemed insignificant or high risk.