Symantec’s News Timeline

In this post, we will summarize news on the SolarWinds hack from Symantec’s perspective.

Confirmed some of FireEye’s findings on SUNBURST and TEARDROP
Acknowledged that 100 of its customers (2000 machines) had received SUNBURST
Indicated that SUNBURST was marked by a certificate issued by Symantec (Symantec divested its certificate authority business in 2018)

Confirmed FireEye reports that SUNBURST used a delay of ~2 weeks before activating and that it had an exclusion list of domains (i.e., windows domains where it would not start)
Indicated that SUNBURST would stop execution if the server on which it was running had specific software (that is typically found on a security researcher’s machine)
Indicated that SUNBURST also attempts to disable some software security services via the windows registry
Confirmed that SUNBURST will check if api.solarwinds.com resolves to a valid address before continuing

Described the domain generation algorithm (DGA) used by SUNBURST
Described the clandestine protocol followed by SUNBURST to convey the windows domain name and other details of the compromised server to the C2 over the DNS protocol

Continued the description of the clandestine protocol followed by SUNBURST to communicate with the C2
Described the sequence of steps in the lead up to a compromised machine establishing an HTTP connection with a second-stage C2

Documented RAINDROP a loader (malware) which delivers a payload of Cobalt Strike (similar to TEARDROP)
Documented differences between the usage of RAINDROP and TEARDROP. UNC2452 installed RAINDROP on mutliple machines in an organization after the original breach (TEARDROP installations were restricted to the Orion server with SUNBURST)
Compared the consturciton of RAINDROP and TEARDROP

Symantec's News Timeline