Dragonfly Hunts SUNBURST

December 23, 2020

When cybersecurity makes the national news, especially in 2020, a major breach has most certainly occurred. These past couple of weeks have been all about the Sunburst malware attack on SolarWinds. So far, this attack has affected dozens of organizations, including FireEye, who are customers of SolarWinds’ Orion network management software. Experts believe the victim count will continue to increase. We now believe the Russian group Cozy Bear initiated the attack.

This attack puts some specific cybersecurity techniques into question. For Sunburst to start communicating outwards, the perfect conditions must exist. It has been reported there is a delayed execution for 12-14 days, making this a significant detection problem in a sandbox environment. It has also been reported SunBurst will not communicate if it is not connected to a domain; meaning, it will not communicate outbound indefinitely in a typical sandbox environment.

The attackers installed their malware into an upgrade of the company’s Orion product that may have been installed by more than 17,000 customers. Thus far, all of the victims have shown different post-infection signatures.

Braintrace’s Dragonfly on the Hunt

Sunburst is challenging to detect but not impossible. Several Indicators of Compromise (IOCs) have already been established, letting us know whether this attack occurred.

Braintrace’s Dragonfly is continuously updating its Deep Packet Inspection (DPI) engine rules to discover this new malware’s various digital footprints. Dragonfly uses four different engines to track down malware. Braintrace is continuously enhancing our rules and engaging in threat hunting when new IOCs are discovered regarding Sunburst.