Strain was used to create an opening for other malware
Security firm CrowdStrike identified and named the strain Sunspot, adding that the strain was also the first one used of the three -- the other two are called Sunburst and Teardrop.
Sunspot was planted on the SolarWinds build server, creating the opening for Sunburst to first enter the system, according to Crowdstrike’s report.
The main goal was to watch Orion – a top SolarWinds product – and replace source code with Sunburst malware.
Kaspersky released an independent report on the same day, finding “code overlaps” between Sunburst malware and Kazuar, a malware strain linked to the Turla group, a Russian state-sponsored, cyber-espionage group.
The firm made no accusations or direct connections between Turla and the SolarWinds hack, according to ZD Net.
The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on -- an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.
Government agencies and cybersecurity experts are still working to piece together the massive suspected espionage operation. At least six federal agencies, including the departments of State, Homeland Security, Commerce and Energy, were hacked as part of the campaign.
Federal investigators have concluded that the Russian government is likely responsible for the hack in part because of the level of skill involved. Several senators who have received briefings in recent days have openly referred to it as a Russian operation.
Moscow has denied responsibility.
A SolarWinds shareholder filed a class-action lawsuit against the company's president, Kevin Thompson, and chief financial officer, J. Barton Kalsu, claiming the executives violated federal securities laws under the Securities Exchange Act of 1934.
The suit alleges that SolarWinds either misrepresented or failed to disclose to shareholders that the company's Orion monitoring products had a vulnerability since mid-2020 that allowed hackers to compromise the product's server and that SolarWinds’ update server had an easily accessible password of ‘solarwinds123’ that would leave customers, including the federal government, Microsoft, Cisco and Nvidia vulnerable to hacks.