The hacker group 'UCN2452' that intercepted confidential information of government agencies and companies around the world is revealed
supply chain attack by malware that was sneaked into the update file, 'he said.
Security company FireEye said, 'Business software It was caused by a
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc
US Homeland Security, thousands of businesses scramble after suspected Russian hack | Reuters
The following article summarizes the case where the US government agency was intercepting the contents of the email. The attacker who is conducting a series of attacks is called 'UCN2452', and its identity is unknown at the time of article creation. However, the FBI suspects UCN2452 is the ' APT29 ' of a hacker group backed by the Russian government.
It turns out that a hacker supported by the Russian government was hacking a US government agency and monitoring the contents of emails etc. --GIGAZINE
Attacks by UCN2452 target not only the United States, but also governmental organizations and companies in Europe, Asia, and the Middle East. According to a FireEye investigation, it was discovered that UCN2452 was attacking by incorporating malware called 'SUNBURST' into a software update of SolarWinds ' IT infrastructure management system ' Orion '.
SUNBURST is a Trojan horse that includes SolarWinds.Orion.Core.BusinessLayer.dll, one of Orion's core framework plugins, with a backdoor that communicates with external servers over HTTP. After hiding for up to 2 weeks, SUNBURST will perform file transfers, file executions, system profiling, machine restarts, system service disabling, and more. Furthermore, by saving the reconnaissance result in a legitimate plug-in configuration file and transmitting network traffic by pretending to be a legitimate communication protocol, it steals data in the PC by pretending to be Orion's normal operation.
by Ming-yen Hsu
According to FireEye, from March to May 2020, multiple update files with SUNBURST were on the market, all of which contained a legitimate digital signature by SolarWinds. 'The attack targeted up to 18,000 people and targeted governments, businesses and advertising agencies for about nine months,' said SolarWinds, releasing a hotfix to urge response. The US government has also issued an emergency alert to stop using Orion immediately.
FireEye sees 'UCN2452 as a very skilled attacker' and has published a tool on GitHub to detect SUNBURST attacks.
GitHub --fireeye / sunburst_countermeasures
According to Reuters, the Russian government has denied a relationship with UCN2452.