Remote Access Trojan

SUNBURST

First seen: 2020 • Status: inactive

Currently Inactive

SUNBURST was hidden inside a trusted software update, secretly opening doors to thousands of organizations including the US government.

Overview

SUNBURST was the backdoor implanted in the SolarWinds Orion supply chain attack. It affected thousands of organizations including US government agencies.

Also Known As

Solorigate, UNC2452 backdoor

How It Spreads

  • SolarWinds Orion supply chain compromise

What It Does

  • Backdoor access
  • Reconnaissance
  • Credential theft
  • Lateral movement
  • Data exfiltration

Is your business exposed?

Target Platforms

Windows

Detection Tips

  • Check SolarWinds Orion versions
  • Monitor for SUNBURST DGA domains
  • Analyze historical network traffic
  • Review SolarWinds indicators

MITRE ATT&CK Techniques

T1195, T1071, T1082, T1003, T1041

If You're Infected

  1. 1.

    Update to clean SolarWinds version

  2. 2.

    Conduct full APT investigation

  3. 3.

    Assume breach and investigate

  4. 4.

    Engage incident response

Related Malware

Teardrop, Raindrop, Sunspot

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices