• Military
• WMD

• Intelligence Menu               

• Systems
• Operations
• Countries
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Imagery
• Links

• Homeland Security
• Space

APT Sunburst

Beginning as early as January 2019, a threat actor breached the computing networks at SolarWinds—a Texas-based network management software company, The U.S. Government attributed this activity to the Russian Foreign Intelligence Service (SVR). The threat actor inserted a “backdoor”—a malicious program that can potentially give an intruder remote access to an infected computer—into a genuine version of that software product. Beginning in early 2020 the threat actor then used this backdoor.

The IT management company known as SolarWinds was breached in March 2020. SolarWinds claimed over 300,000 customers; ~18,000 were reportedly exposed in this attack. On 21 November 2025 the US Securities and Exchange Commission said it was dropping a lawsuit accusing SolarWinds Corp. and its chief information security officer of failing to warn investors about lax cybersecurity standards before the software developer suffered a huge data breach in 2020. The 2023 case marked the first time the regulator took a public company to court over its handling of a cyberattack.

A zero-day exploit is an exploit that takes advantage of a security vulnerability previously unknown to the general public. By writing an exploit for the previously unknown vulnerability, an attacker creates a potent threat since the compressed time frame between public discoveries of both makes it difficult to defend against. Microsoft discovered that several versions of its enterprise email and calendar server software, Microsoft Exchange Server, were vulnerable to a number of zero-day exploits which had the potential of exposing federal agencies that had the software installed to compromise.

The Cybersecurity and Infrastructure Security Agency (CISA) was aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. CISA determined that this threat posed a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA incident response investigations identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials [T1078] accessible via external remote access services.

This APT actor demonstrated patience, operational security, and complex tradecraft in these intrusions. On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. CISA expected that removing this threat actor from compromised environments would be highly complex and challenging for organizations.

SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity. SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.

One of the initial access vectors for this activity is a supply chain compromise of a Dynamic Link Library (DLL) in SolarWinds Orion products. By January 6, 2021 CISA had evidence that there are initial access vectors other than the SolarWinds Orion platform and identified legitimate account abuse as one of these vectors. Specifically, CISA was investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances had not been identified.

After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications.

Shortly following the announcement of the SolarWinds attack, in a separate incident, Microsoft reported in March 2021 that other threat actors were exploiting zero-day vulnerabilities in Microsoft’s Exchange Server products used to provide on-premises5 IT services such as email, address books, and calendars. According to Microsoft, approximately 400,000 customers of these products, including federal government agencies, were at risk globally.

Volexity reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication (MFA) protecting access to Outlook Web App (OWA).[1] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.

The adversary made extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.

FireEye reported that the adversary is using steganography (Obfuscated Files or Information: Steganography) to obscure C2 communications. This technique negates many common defensive capabilities in detecting the activity. CISA had not yet been able to independently confirm the adversary’s use of this technique. According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.

While not a full anti-forensic technique, the adversary was heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.

Taken together, these observed techniques indicated an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.

The adversary’s initial objectives appeared to be to collect information from victim environments. One method the adversary is accomplishing this objective is by compromising the SAML signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized APIs. During the persistence phase, the additional credentials being attached to service principals obfuscates the activity of user objects, because they appear to be accessed by the individual, and such individual access is normal and not logged in all M365 licensing levels.

The adversary used a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.

If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action. A Microsoft blog post, Advice for incident responders on recovery from systemic identity compromises outlines processes and procedures needed to remediate this type of activity and retain administrative control of an environment.

Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.

On 30 October 2023 the Securities and Exchange Commission announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleged that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

As the complaint alleged, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

In addition, the SEC’s complaint alleged that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”

The SEC’s complaint alleged that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.

SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

The SEC’s complaint, filed in the Southern District of New York, alleged that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint sought permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.