Advertisement

Researchers uncover three more malware strains linked to SolarWinds hackers

GoldMax, GoldFinder, Sibot and Sunshuttle are all good at evading detection, said Microsoft and FireEye.
WASHINGTON, DC: (L-R) FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith testify during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC.(Photo by Drew Angerer/Getty Images)

It looks like the SolarWinds hackers had even more tricks up their sleeve.

Microsoft and FireEye on Thursday revealed three more malware strains associated with the suspected Russian perpetrators who breached SolarWinds’ Orion software and used its update to infect federal agencies and major companies.

FireEye named one strain Sunshuttle in a blog post. In a separate blog post, Microsoft dubbed two more strains GoldFinder and Sibot, and labeled the strain FireEye called Sunshuttle as GoldMax.

Microsoft said the strains join the previously known SolarWinds hacker tools Sunburst and Teardrop. The traits the new malware strains exhibit are yet more evidence that the hackers behind that breach are, in fact, notably sophisticated — a term often affixed to virtually any hacking group by their victims.

Advertisement

“They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions,” Microsoft wrote.

While FireEye couldn’t conclusively verify the connection between Sunshuttle and the SolarWinds hackers, it observed it in the network of a victim of that group, among other links.

Sunshuttle “is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques,” FireEye wrote.

Likewise, the malware strains Microsoft wrote about exhibited stealthiness.

“Microsoft assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise, even evading initial detection during incident response,” according to the blog post.

Advertisement

There also are some overlapping time frames. Microsoft saw the strains active from August to September in customer networks, although the infections may have been on systems as early as June. FireEye said someone uploaded Sunshuttle to a public malware repository in August.

Corrected, 3/4/2021: to include the right number of malware strains.

Latest Podcasts