solarwinds attack aftermath

Just when it seemed like the furor around the supply attack on SolarWinds by a Russian-affiliated threat actor, Dark Halo had died down, sobering new allegations came to the fore. Researchers at Kaspersky revealed that they believe there to be a new backdoor (named “Tomiris”) that seems to be suspiciously linked to a piece of malware dubbed Sunshuttle that Dark Halo used during the SolarWinds attack. Sunshuttle, as well as the Tomiris software that closely mimicked it, was written in Golang.

Its purpose was to give the criminals who created it a way to communicate with the systems they had infiltrated and to issue remote commands allowing them to perform actions such as uploading and downloading files. Security teams identified other similarities between Tomiris and Sunshuttle, including misspellings in both codes suggesting that the authors were not native English speakers.

Kaspersky’s discovery occurred in June of this year while it was researching DNS hijacking incidents that had been levied against a specific nation in the Commonwealth of Independent States in December of 2020 and January of 2021. In an attempt to steal credentials from these government servers, the hackers redirected traffic away from legitimate servers toward their own, thus jeopardizing the integrity of the data stored and transmitted.

While it is not yet an iron-clad conclusion that the same bad actor developed the Tomiris and Sunshuttle malware samples, Kaspersky officials believe the likelihood is strong. If it is indeed the case that Dark Halo was responsible for both, one conclusion is clear: Dark Halo is a criminal network whose scope should not be under-estimated. That organization, also known as StellarParticle, Nobelium, and UNC2452, has been linked by numerous security experts and the United States government to Russia’s Foreign Intelligence Service (SVR). Dark Halo is notorious for its 2020 attack on SolarWinds’ software development environment by embedding a trojan into its signed updates. This breach affected at least 1,800 organizations at a high financial and reputational cost.