Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

SolarWinds explainer

An overview of the software supply chain attack used against SolarWinds

operating room scene
Download PDF
Share

Introduction

Professionals from the KPMG Cyber Security Services team have been working with SolarWinds at the direction of outside counsel DLA Piper, since mid-December when SolarWinds announced that they had been the victim of a sophisticated supply chain attack. As disclosed by SolarWinds, limited versions of the SolarWinds Orion Platform software had been altered by threat actor(s) with malicious code. The code in question, a backdoor called SUNBURST1, was unknowingly made available to SolarWinds’ customers as part of three separate patches listed below:

Platform VersionRelease Date
2019.4 Hotfix 5March 26, 2020
2020.2June 4, 2020
2020.2 Hotfix 1June 24, 2020


There has been some confusion regarding the types of downstream malware potentially related to this attack. This blog post aims to provide information about the various types of malware that have been discovered , and to and clarify their relationship to the supply chain attack.

SUNSPOT – Attack of the SolarWinds Build Process

As detailed in SolarWinds’ blog post, KPMG discovered malware – referred to as SUNSPOT – that was deployed for the purpose of covertly inserting a backdoor into the SolarWinds Orion Platform during the software build process. Working with CrowdStrike to reverse engineer the SUNSPOT malware, it was determined the malware was designed by the threat actor(s) to function solely within the SolarWinds’ Orion Platform software build environment.

From our analysis, we determined that the SUNSPOT malware ran in the background on SolarWinds’ Orion Platform software build servers watching for a new build to take place. At build time, SUNSPOT would insert a backdoor (referred to as SUNBURST) contained in a temporary source code file used by the compiler. At the conclusion of the software build process, SUNSPOT would clean up the temporary source code file to circumvent detection. Hence, the codebase remained clean, while the compiled code was signed with the valid SolarWinds software certificate and shipped with the SUNBURST backdoor.

Notably, the SUNSPOT malware was resident only on SolarWinds’ Orion Platform software build servers. It was not included in the compromised SolarWinds Orion Platform software patches or distributed to SolarWinds’ customers.

SUNBURST – The backdoor in SolarWinds Orion Platform software

The SUNBURST1 backdoor was inserted into a component of the SolarWinds Orion product through a library called SolarWinds.Orion.Core.BusinessLayer.dll, during the software build process.  SUNBURST was designed to communicate with the threat actor(s) and provide them with a wide array of capabilities. This included actions such as executing arbitrary commands, creating and deleting files, downloading and executing additional files, manipulating registry keys, and rebooting the system.

To date, based on our on-going forensic review of SolarWinds’ software build environment and source code repository, there has been no evidence to indicate the SUNBURST backdoor was ever directly added to the Orion codebase.

Post-exploitation Malware

Organizations have released public details related to malware used to further compromise systems in environments where there was a version of SolarWinds Orion Platform software that included the SUNBURST backdoor. SolarWinds, the company, did not directly deliver or otherwise propagate these second-stage malware executables. Instead, threat actor(s) used the capabilities built into the SUNBURST backdoor to deploy additional malware to their victims.

TEARDROP

TEARDROP2 , reported to have been found on some compromised systems via the SUNBURST backdoor, was identified as a dropper (a program whose primary purpose is to deploy and execute an embedded program) that ran in-memory only and was used to deploy a modified version of Cobalt Strike (a full-featured penetration testing application often used for moving laterally through a network and establishing additional backdoors) to the compromised system.

RAINDROP

RAINDROP3 was reported to have been found elsewhere on a network where there was already a system compromised by SUNBURST. Like the TEARDROP malware, RAINDROP was also a dropper used to deploy a modified version of Cobalt Strike to the compromised system.

SUNSHUTTLE/GoldMax

SUNSHUTTLE4, also known as GoldMax5, was reported to have been found in some environments that had been compromised by the SUNBURST backdoor and used after the threat actor(s) gained access and moved laterally within the environment.  SUNSHUTTLE/GoldMax is a malicious executable with common backdoor command-and-control capabilities.

GoldFinder

GoldFinder5, reported to have been used by the SUNBURST threat actor(s) in some compromised environments, is a malware tool which appears to map the network routes to a specific command-and-control server.  These routes and proxies are written to a log file, suggesting it may be used by a threat actor(s) to assist in reconnaissance of the victim’s network topology.

Sibot

Sibot5, also reported to have been used by the SUNBURST threat actor(s) in some compromised environments, is malware that establishes persistence on a victim system and has the capability to download and execute payloads from a command-and-control server.

SUPERNOVA

Following the discovery of SUNBURST, a separate, unrelated security threat was discovered and made public – a backdoor that is being referred to as SUPERNOVA. The SUPERNOVA6 malware, characterized as a web shell, was deployed by targeting a vulnerability7 in specific versions of the SolarWinds Orion product that has since been patched.

It is important to note that SUPERNOVA is not associated with the supply chain attack used to distribute the SUNBURST backdoor. SUPERNOVA was neither signed nor delivered by SolarWinds.

Conclusion

In summary, SUNSPOT was designed by the threat actor(s) to function specifically within SolarWinds’ software build environment to insert a malicious backdoor called SUNBURST into certain versions of the SolarWinds Orion Platform software. Unlike the SUNBURST backdoor, SUNSPOT was not included in the SolarWinds Orion Platform software patches that were made available to the public.

As reported TEARDROP and RAINDROP were designed to be used by the threat actor(s) to deploy a modified version of Cobalt Strike. Further, SUNSHUTTLE/GoldMax, GoldFinder, and Sibot are malicious tools reported to have been used by threat actor(s) in an environment where there was a pre-existing SUNBURST compromise.

Like SUNSPOT, neither TEARDROP, RAINDROP, SUNSHUTTLE/GoldMax, GoldFinder, nor Sibot were included in SolarWinds Orion Platform software or directly provided to customers through SolarWinds patches. Finally, while still relevant, the backdoor web shell SUPERNOVA, identified after the SUNBURST attack was made public, is not associated with the SUNBURST supply chain attack and was not included in any SolarWinds Orion Platform software patches.

MalwareDistributed by
SolarWinds		Type of Malware
SUNSPOTNoCode injector
SUNBURSTYesBackdoor
TEARDROPNoDropper
RAINDROPNoDropper
SUNSHUTTLE/ GoldMaxNoBackdoor
GoldFinderNoReconnaissance
SibotNoBackdoor
SUPERNOVANoBackdoor


Future KPMG posts will outline how to identify similar attacks, demonstrate how the malware was found, and illustrate lessons learned and KPMG’s secure by design leading practices.

Special recognition of the KPMG Cyber Security professionals contributing to this blog include Andi Baritchi, Stephen Gibson, and Christopher Shanahan.

Footnote

  1. CISA - MAR-10318845-1.v1 – SUNBURST: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a
  2. CISA - MAR-10320115-1.v1 – TEARDROP: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b
  3. Symantec – RAINDROP: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
  4. FireEye – SUNSHUTTLE: https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.htm
  5. Microsoft – GoldMax/GoldFinder/Sibot: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
  6. CISA - MAR-10319053-1.v1 – SUPERNOVA: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a
  7. https://nvd.nist.gov/vuln/detail/CVE-2020-10148

Explore more

Cyber security in the new reality

Working together to respond to the challenges.

Read more

Meet our team

Image of David Nides
David Nides
Principal, Advisory, KPMG US
Read bio
Image of David Nides
David Nides
Principal, Advisory, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline