Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
high_confidence

SolarWinds Compromise

The [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) was a sophisticated supply chain cyber operation conducted by [APT29](https://attack.mitre.org/groups/G0016) that was discovered in mid-December 2020. [APT29](https://attack.mitre.org/groups/G0016) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.(Citation: CrowdStrike StellarParticle January 2022) Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.(Citation: SolarWinds Advisory Dec 2020)(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)(Citation: Unit 42 SolarStorm December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: Microsoft Internal Solorigate Investigation Blog) In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)(Citation: Mandiant UNC2452 APT29 April 2022) The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://attack.mitre.org/groups/G0016) activity on their systems.(Citation: USG Joint Statement SolarWinds January 2021)

Start date
1 August 2019
End date
1 January 2021
Techniques
71

Attributed actors

APT29· primary

Techniques (71)

collection6
T1114.002Remote Email Collection
T1213.003Code Repositories
T1005Data from Local System
T1213Data from Information Repositories
T1074.002Remote Data Staging
T1560.001Archive via Utility
command-and-control5
T1568Dynamic Resolution
T1665Hide Infrastructure
T1090.001Internal Proxy
T1105Ingress Tool Transfer
T1071.001Web Protocols
credential-access8
T1558.003Kerberoasting
T1555.003Credentials from Web Browsers
T1606.001Web Cookies
T1555Credentials from Password Stores
T1539Steal Web Session Cookie
T1552.004Private Keys
T1003.006DCSync
T1606.002SAML Tokens
defense-impairment5
T1553.002Code Signing
T1686Disable or Modify System Firewall
T1685Disable or Modify Tools
T1685.001Disable or Modify Windows Event Log
T1484.002Trust Modification
discovery10
T1018Remote System Discovery
T1069.002Domain Groups
T1680Local Storage Discovery
T1057Process Discovery
T1482Domain Trust Discovery
T1069Permission Groups Discovery
T1087Account Discovery
T1083File and Directory Discovery
T1016.001Internet Connection Discovery
T1087.002Domain Account
execution5
T1059.003Windows Command Shell
T1047Windows Management Instrumentation
T1059.001PowerShell
T1059.005Visual Basic
T1053.005Scheduled Task
exfiltration1
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
initial-access8
T1078Valid Accounts
T1199Trusted Relationship
T1133External Remote Services
T1078.004Cloud Accounts
T1078.002Domain Accounts
T1190Exploit Public-Facing Application
T1078.003Local Accounts
T1195.002Compromise Software Supply Chain
lateral-movement6
T1550.004Web Session Cookie
T1021.001Remote Desktop Protocol
T1021.002SMB/Windows Admin Shares
T1550Use Alternate Authentication Material
T1021.006Windows Remote Management
T1550.001Application Access Token
persistence11
T1078Valid Accounts
T1098.001Additional Cloud Credentials
T1098.005Device Registration
T1098.003Additional Cloud Roles
T1133External Remote Services
T1078.004Cloud Accounts
T1078.002Domain Accounts
T1053.005Scheduled Task
T1098.002Additional Email Delegate Permissions
T1078.003Local Accounts
T1546.003Windows Management Instrumentation Event Subscription
privilege-escalation11
T1078Valid Accounts
T1098.001Additional Cloud Credentials
T1098.005Device Registration
T1098.003Additional Cloud Roles
T1078.004Cloud Accounts
T1078.002Domain Accounts
T1484.002Trust Modification
T1053.005Scheduled Task
T1098.002Additional Email Delegate Permissions
T1078.003Local Accounts
T1546.003Windows Management Instrumentation Event Subscription
reconnaissance1
T1589.001Credentials
resource-development3
T1587.001Malware
T1583.001Domains
T1584.001Domains
stealth12
T1036.005Match Legitimate Resource Name or Location
T1078Valid Accounts
T1036.004Masquerade Task or Service
T1070.006Timestomp
T1140Deobfuscate/Decode Files or Information
T1078.004Cloud Accounts
T1070.004File Deletion
T1078.002Domain Accounts
T1070.008Clear Mailbox Data
T1078.003Local Accounts
T1218.011Rundll32
T1070Indicator Removal

Indicators of compromise

No IOCs linked to this campaign yet.