Sunspot, the new malware found and named by cybersecurity firm, CrowdStrike, is the malware used by the threat actors behind the SolarWinds breach.

Sunspot, the third malware strain found in SolarWinds related investigations, was deployed in SolarWinds’ development environment for the Orion IT management software.

When Sunspot was executed, it monitored and was injected into the Sunburst backdoor. It replaced real source code with the malicious code. Sunspot’s developers took the time to make sure the malware was inserted correctly and would go undetected through regular security software. It was clearly a highly sophisticated cyberattack.

Evidence shows the Sunburst malware was compiled and deployed on February 20 of 2020 and threat actors initially accessed SolarWinds for the first time on September 4 of 2019. The threat actors who accessed the network lived within the environment for quite some time before any security personnel ever detected them. On December 12, 2020, SolarWinds was notified of the Sunburst backdoor.

View the entire timeline here.

Although, there is no known threat actor identified just yet, it is still important to note this cyberattack is the largest in history. The FBI, CISA, and the NSA recently stated they think a Russian-backed Advanced Persistent Threat (APT) group is responsible for this cyberattack, which has shaken the globe.

As we predicted, the extended fallout coming from the attack is being unraveled as perpetrators try to infiltrate environments using portions of the exposed backdoors and already-implemented malware.

This is a developing investigation.

SpearTip experts have had their eyes all over the SolarWinds breach since the news hit. In fact, our developers created a free tool, Sunscreen SPF 10, to check  if the Sunburst Malware has been in your network by monitoring malicious activity and rooting out compromised versions of SolarWinds. We’ve also developed an EDR tool, ShadowSpear®, to monitor your environment and allow full transparency on your risk profile.

The cybersecurity professionals in our Security Operations Center are on call 24/7 and will assist with any issues or concerns regarding the SolarWinds breach. If you have questions, call the Security Operations Center (SOC) at 833.997.7327.