In this post, we document the list of Security firms attacked by UNC2452. While many of these firms were breached, some were not.

In the notes below, we consider a firm to be breached via SUNBURST if UNC2452 proceeded to a second-stage C2 using the original SUNBURST malware embedded inside Orion 1. A firm is deemed to be breached by means other than SUNBURST if UNC2452 established a presence inside the its IT infrastructure or exfiltrated data (by means other than SUNBURST).

FireEye

  • Attack disclosed: Dec 8, 2020 2
  • Earliest known attack date:
  • Breached: Yes
  • SUNBURST used: Yes 3

Mimecast

  • Attack disclosed: Jan 12, 2021 4 5
  • Earliest known attack date:
  • Breached: Yes
  • SUNBURST used: Yes 6

Palo Alto Networks

  • Attack disclosed: Jan 25, 2021 7, 8
  • Earliest known attack date: Sep 29, 2020 9
  • Breached: Yes
  • SUNBURST used: Yes

Qualys

  • Attack disclosed: Jan 25, 2021 7, 8
  • Earliest known attack date: July 7, 2020 9
  • Breached: Yes
  • SUNBURST used: Yes

Fidelis

  • Attack disclosed: Jan 25, 2021 7, 8
  • Earliest known attack date: May 18, 2020 9
  • Breached: Yes
  • SUNBURST used: Yes 10

Microsoft

  • Attack disclosed: Dec 17, 2020 11
  • Earliest known attack date:
  • Breached: Yes
  • SUNBURST used: Yes

Cisco

  • Attack disclosed: Dec 21, 2020 12
  • Earliest known attack date: May 16, 2020 9
  • Breached: Yes
  • SUNBURST used: Yes 13

VMware

  • Attack disclosed: Dec 21, 2020 12
  • Earliest known attack date:
  • Breached: No 14
  • SUNBURST used: Yes 15

MalwareBytes

  • Attack disclosed: Jan 19, 2021 16
  • Earliest known attack date:
  • Breached: Yes
  • SUNBURST used: No 17

CrowdStrike

  • Attack disclosed: Dec 23, 2020 18, 19
  • Earliest known attack date:
  • Breached: No
  • SUNBURST used: No

References

  1. https://www.netresec.com/?page=Blog&month=2021-01&post=Twenty-three-SUNBURST-Targets-Identified 

  2. https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html 

  3. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html 

  4. https://www.mimecast.com/blog/important-update-from-mimecast/ 

  5. https://www.zdnet.com/article/mimecast-says-hackers-abused-one-of-its-certificates-to-access-microsoft-accounts/ 

  6. https://www.mimecast.com/blog/important-security-update/ 

  7. https://www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/  2 3

  8. https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/  2 3

  9. https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS  2 3 4

  10. https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/ 

  11. https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/ 

  12. https://www.securityweek.com/vmware-cisco-reveal-impact-solarwinds-incident  2

  13. https://tools.cisco.com/security/center/resources/solarwinds_orion_event_response 

  14. https://www.vmware.com/company/news/updates/2020/vmware-updated-statement-solarwinds.html 

  15. https://www.bleepingcomputer.com/news/security/vmware-latest-to-confirm-breach-in-solarwinds-hacking-campaign/ 

  16. https://www.zdnet.com/article/malwarebytes-said-it-was-hacked-by-the-same-group-who-breached-solarwinds/ 

  17. https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-azure-environments/ 

  18. https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/ 

  19. https://www.cyberscoop.com/crowdstrike-solarwinds-targeted-microsoft/