A widespread campaign has been uncovered, tracked as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. FireEye is tracking this as a global intrusion campaign.
The attack began as a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware called SUNBURST. The attacker’s post compromise activity leverages multiple techniques to evade detection. The campaign is widespread, affecting public and private organizations around the world. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.