Crowdstrike says SolarWinds hackers used component it's calling "Sunspot" to inject backdoor in Orion software. It sat on developer systems waiting for build commands to execute, checked if it was Orion software being built, then injected backdoor. Sunspot likely built 2.20.2020.
"SUNSPOT was identified on disk with a filename of taskhostsvc.exe (SHA256 Hash: c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168), and internally named taskhostw.exe by its developers."…
SolarWinds has updated the attack timeline. It now says hackers accessed SolarWinds network Sept. 4, 2019 and began their test run (which I wrote about here…) on Sept. 12, 2019. They ended test run on Nov. 4, 2019. The backdoor was compiled Feb. 20, 2020.
I should note that the Sept 4, 2019 date is just the earliest that investigators have found evidence of the attackers' presence in the SolarWinds network. They may have been in the network earlier than this, but no evidence of that yet.
I wrote in 1st tweet that SUNSPOT was compiled Feb. 20. But SolarWinds timeline says the SUNBURST backdoor (which SUNSPOT injected into the SW software) was compiled Feb. 20. Don't know if they were both compiled same day or if timeline is wrong. Here's Crowdstrike on SUNSPOT:
Also, my original tweet has confused some people, since I wrote that SUNSPOT was placed on "developer systems". I meant on the build servers that developers use, not on the personal computers of individual developers. Sorry for the confusion.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Kim Zetter

Kim Zetter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KimZetter

9 Jan
“General Milley appears to have made no commitments. Short of the cabinet invoking the 25th Amendment or removing Mr. Trump through impeachment in the House and conviction in the Senate, it is unconstitutional to defy legal orders from the commander in chief.”
Col. Dave Butler, a spokesman for General Milley, confirmed that the phone call with the speaker had taken place but described it as informational. “He answered her questions regarding the process of nuclear command authority,” he said.
“some Defense Department officials clearly resented being asked to act outside of the legal authority of the 25th Amendment... trying to get the Pentagon to do the work of Congress and cabinet secretaries, who have legal options to remove a president...
Read 5 tweets
6 Jan
PBS Newshour reporter describes protesters shattering the glass on doors to the Capitol building, you can hear the pounding on the front door of the US Capitol in the background as she speaks - no police in the area where she's reporting
"Protestors are using the staff of an American flag to try to break through these windows," reporter says. She's talking about protestors at a balcony door/window.
She now reports that protestors are inside the building. Lawmakers have been moved to a safer location.
Read 36 tweets
5 Jan
Finished reading @zachsdorfman's 3-part series on espionage dance between China/CIA. Packed w/great reporting/detail Zach fleshes out how mutual spying and power dynamics unfolded over last decade w/ focus on massive hacking campaigns. Highly recommend…
Here's part 2 - How U.S. intelligence on China was at a nadir as Xi was rising.…
And part 3 - how China's intelligence services co-opted its tech companies to assist with processing the massive amounts of data China has stolen through hacking ops…
Read 5 tweets
4 Jan
I've seen a lot of misinfo published since the election by well-meaning people who, in trying to counter false election-fraud claims, overstate the current state of election security/integrity. Here's a good piece by experts that lays out the facts👇…
"Even though there is no compelling evidence the 2020 vote was rigged, U.S. elections are insufficiently equipped to counter such claims because of a flaw in American voting. The way we conduct elections does not routinely produce public evidence that outcomes are correct."
"We need evidence-based...processes that create strong public evidence that the reported winners really won and the reported losers really lost...

Currently, only 4 states (Colorado, Nevada, Rhode Island, and Virginia) have statutory requirements for risk-limiting audits"
Read 6 tweets
24 Dec 20
New: SolarWinds backdoor infected at least 15 entities in critical infrastructure incl electric/oil/gas/manufacture + 3 managed service providers for crit infr. No evidence hackers used backdoor to enter but may be difficult to tell due to lack of logging…
Managed service providers can have authorized remote access directly into critical infr + privileges that let them alter network, install software, and control critical operations. This means hackers who breach a provider can potentially use that provider’s credentials and access
“If [provider] has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions," @RobertMLee told me. "But just because you have access...doesn’t mean they can then flip off the lights”
Read 9 tweets
22 Dec 20
Per briefing today on SolarWinds hack, @RonWyden says IRS was not compromised or taxpayer data affected. However, hack of Treasury Department "appears to be significant." Treasury breach began in July, "the full depth of which isn’t known."
Microsoft notified Treasury Dept that dozens of email accounts were compromised. Additionally the hackers broke into systems in the Departmental Offices division of Treasury, home to Treasury's highest-ranking officials. Treasury still doesn't know precisely what info was stolen.
.@RonWyden on SW: “[A]fter yrs of gov officials advocating for encryption backdoors and ignoring warnings from [infosec] experts who said...encryption keys [are targets] for hackers, the USG has..suffered a breach that seems to involve...stealing encryption keys from USG servers”
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!