Kaspersky researchers: every fifth victim of Sunburst was from manufacturing industry
January 2021 by Kaspersky
The Sunburst backdoor attack, which was publicly announced on December 13th, 2020, is still keeping researchers on edge as they untangle the true scale and the interests of the actor behind this supply chain attack. While the official confirmed number of affected users amounts to 18,000, there is limited information about what kind of organisations used the backdoored SolarWinds versions and fell victim to the attack. To answer this question, Kaspersky ICS CERT researchers assessed internal and publicly available information and defined which industries have been affected the most.
Through analysis of all available decoded internal domain names obtained from DNS names generated by the SunBurst DomainName Generation Algorithm, the researchers were able to compile a list of nearly 2000 readable and attributable domains. From these, the overall percentage of industrial organisations among all organisations on the list is estimated at 32.4% with manufacturing having been hit the most (18.11% of all victims), followed by utilities (3.24%) and construction (3.03%). Transportation and logistics (2.97%), as well as oil & gas (1.35%) industries concluded the list of top-5 industries affected. This data correlates with Kaspersky’s analysis of its affected customers and the industries they belong to.
The geographical distribution of the industrial organisations is broad and includes the following countries and territories: Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan, Uganda, and the USA.
“The SolarWinds software is highly integrated into many systems around the globe in different industries and, as a result, the scale of the Sunburst attack is unparalleled – a lot of organisations that had been affected might have not been of interest to the attackers initially. While we do not have evidence of a second-stage attack among these victims, we should not rule out the possibility that it may come in the future. Therefore, it is crucial for organisations that may be victims of the attack to rule out the infection and make sure they have the right incident response procedures in place,” comments Maria Garnaeva, senior security researcher at Kaspersky.
Kaspersky experts shared the following recommendations for possible victims of the SolarWinds compromise:
1. Check whether backdoored SolarWinds versions are installed. Known affected versions include software builds 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF1.
2. Check for known indicators of compromise (IOCs). CISA has published Alert AA20-35A with an extensive list
3. If you have detected a compromised SolarWinds installation or related IOCs, initiate a security incident investigation and launch an incident response procedure, considering all possible attack vectors:
1. Isolate assets that are known to be compromised, while keeping the system operable
2. Prevent IOCs that could be useful for the investigation from being deleted
3. Check all network logs for suspicious network activity
4. Check system logs and journals for illegitimate user account authentication
5. Locate suspicious process activity and investigate memory dumps and associated files
6. Check historical command-line data associated with suspicious activity
1. If you consider yourself a victim of the SolarWinds compromise, you can reach us at firstname.lastname@example.org for further assistance or consultancy.