New Malware Strain Found in SolarWinds Hack

Posted by
Jan 20, 2021
Reviewed by
Jan 16, 2024
min. read
Table of Contents

Cybersecurity analysts continue to assess the potential damage of a massive attack on SolarWinds’ Orion software platform. The attack, first reported in December last year, injected malware into certain version updates of a popular software platform used by thousands of organizations, including top U.S. government agencies.

Previous analysis of the supply chain attack, considered to have links to the Russian government, identified three strains of malware: Sunspot, Sunburst, and Teardrop. The cybersecurity firm Symantec recently reported that it has identified a fourth, called Raindrop, that is related to Teardrop but that has significant differences.

Attackers Used Multiple Interlinked Malware Strains

Investigators have found that the SolarWinds hack occurred in stages going back as early as the middle of 2019 when SolarWinds was first penetrated by the Sunspot malware. This malware then inserted Sunburst malware inside new versions of Orion software. The main purpose of Sunburst was to monitor infected systems and relay data to a remote server.

The attackers then used Teardrop and the newly discovered Raindrop malware to escalate attacks on specific, high-value targets that used the Orion platform. These targets included several key U.S. government agencies. Both Teardrop and Raindrop helped facilitate broader access to infected network systems.

ICS poses an elevated risk from n-day exploits for a number of reasons. In the energy sector, availability for offline updates is limited. Disruption of service could affect critical infrastructure that businesses and consumers rely on daily.Unlike the IT sector, ICS operations are not standardized. Patches for discovered security flaws often have to be administered manually.

One mystery noted by the Symantec report focused on how Teardrop and Raindrop were installed. Teardrop was directly installed by the Sunburst malware. Raindrop often appeared on systems infected with Sunburst but with no evidence that its presence was initiated by Sunburst. Investigations about just how the Raindrop malware was distributed are ongoing.

Each Day Brings New Revelations

In a white paper released this week, cybersecurity firm FireEye gave additional information and tools for Microsoft 365 users to identify previous or ongoing compromises in their cloud storage. FireEye discovered the attack, which has rattled security experts, government officials, and the private sector alike. FireEye was also one of four cybersecurity companies including Microsoft, CrowdStrike and Malwarebytes to be targeted in the SolarWinds hack.

In an interview this week, FireEye’s chief technical officer Charles Carmakal said the months-long attack allowed attackers to gather intelligence undetected from top U.S. government agencies such as the departments of Commerce, Treasury, and Justice as well as software companies and policy-oriented think tanks in Washington D.C. “We continue to learn about new victims almost every day,” Carmakal said.

Microsoft disclosed last month that attackers had gained access to some of its source code. This fact as well as the targeting of other software companies suggests that the attackers might have further plans to compromise other platforms. Carmakal said such sophisticated hackers a those responsible for the SolarWinds attack could be looking for other software products to infect and use in future attacks.

This comprehensive approach is essential for any industry that regularly handles sensitive and heavily regulated data. Call us now at 1-800-520-1677 to learn more about how SecureData can keep you and your business protected.

A Cyberattack of Unprecedented Scope

What makes the SolarWinds hack so significant is the sheer scope of the attack. The malware-infected Orion updates allowed attackers to gather information from a wide swathe of government, corporate, energy, and education sectors. Security experts suggest that it could be the largest spying operation against the U.S. in history.

What is more concerning to some is that the success of this supply chain hack, which used a single compromise to infiltrate thousands of targets, could be copied by other threat actors. Shortly after the SolarWinds attack was first announced, Microsoft urged greater transparency by governments and the private sector in reporting nation-state attacks.

SecureData understands that maintaining the integrity of computer networks requires constant vigilance. We also know that the nature of cyberattacks continues to evolve as malicious actors find new and more sophisticated avenues to exploit vulnerabilities.

That’s why for more than a decade, we have worked hard to develop more secure strategies for data storage and data recovery services. Our comprehensive approach focuses on offline encrypted storage and backups, remote drive management, and reliable endpoint security.


Discover our secure data Solutions

Data Recovery Services

From single external hard drives, SSD’s, mobile devices to enterprise NAS, SAN, and RAID failures, we are ready to help recover from digital disasters, anywhere.

Request Help
Philip Bader

After more than a decade in Southeast Asia as a reporter and editor for magazines, newspapers, and online media organizations, Philip Bader now serves as a freelance content writer for Secure Data Recovery Services. He writes blogs and web content about data storage technology, trends in enterprise data recovery, and emerging data storage technology.

© 2024 SecureData Corporation or its affiliates. All rights reserved.