SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected

The world is now facing what seems to be a 5th generation cyber attack – sophisticated, multi vectors attack, potentially carried-out by nation-state actors.
Check Point’s finest teams work closely with our customers and different industry leaders to provide the best protections against the SunBurst attack.

What do we know by now

On the week of December 13th , US government offices disclosed it was targeted by a series of mega cyber attacks, allegedly related to state-sponsored threat organizations.
Those attacks targeted government and technology organizations worldwide.
This series of attacks was made possible when hackers were able to embed a backdoor into SolarWinds software updates. Over 18,000 companies and government offices downloaded what seemed to be a regular software update on their computers, but was actually a Trojan horse. By leveraging a common IT practice of software updates, the attackers utilized the backdoor to compromise the organization’s assets, both cloud and on premises, enabling them to spy on the organization and access its data.

Check Point is helping customers stay protected with a free security check up and an incident response hotline engagement

Check Point offers assessment tools that organizations can leverage, at no charge, to identify attacks operating within their environments. These solutions can pinpoint the presence of SunBurst indicators associated with network and endpoint activity.
Check Point resources are available to support organizations interesting is leveraging such tools

Schedule your Security Check up now.

Check Point Incident Response Team is available 24x7x365 to deliver security incident handling service. If you believe you were exposed to the solar Wind attack,  we are a single hotline phone call away.
We will help you contain the threat, minimize its impact, and keep your business running. Contact us now

Check Point Research groups are constantly monitoring the situation

Check Point Research, The intelligence & Research arm of Check Point, further indicated SolarWinds was exploited to craft a sophisticated supply-chain attack

  1. Solarwind’s signing server was breached and used to authenticate the software updates, included the malicious code.
  2. SolarWinds customers who updated their software, automatically and unknowingly also installed the malicious backdoor, literally opening the door to their assets to the malicious actors.
  3. the backdoor communicates with a malicious server owned by the threat actors, sharing some details that might help in identifying the victimized network and organization.
  4. the hackers decide whether or not this organization is of interest, and decide whether to terminate or proceed in the attack.
  5. Apparently, at this stage the threat actors laterally move to other assets – be it assets hosted on premises or on cloud. Interestingly, some publications mention that SolarWinds update is not the sole entry point in this campaign. We are keeping an eye open for what it might be.

From our perspective, after years of conducting cyber threat research, we believe this is one of the most sophisticated and severe attacks seen in the wild.
This is reflected in the attack’s technical complexity, the patience of the threat actors behind crafting this attack end-to-end, their high operational security awareness, and its broad and precise set of victims.
This recent high profile attack represents additional evidence of the emergence of Generation V of sophisticated cyber-attacks. Researchers, who have named the hack Sunburst, say it could take years to fully comprehend the severity of this large scale attack.

Check Point advice on protecting from the Sunburst attack

Our researchers are constantly monitoring the situation and have already issued the following advice for organizations to protect themselves:

  • Back to basics – In these sort of circumstances, the core security practices of least privilege and segmentation make it harder for adversaries to access critical assets
  • Defense-in-depth – Ensure that multiple protections operate in parallel to identify and prevent different attack vectors in real-time, such as blocking command and control traffic as well as exploits of vulnerable elements
  • Make sure your security solutions are up to date, in order to benefit from the ongoing investigation
  • Set your security solutions to Prevent – as the attackers remove their traces, by the time you detect and analyze their actions, it would be too late
  • The attack shows specific attention to cloud assets – make sure to look into those for suspicious, abnormal, activity
  • Automated event analysis; Critical to Sunburst remediation efforts is the ability to find evidence of impact quickly. Automated event analysis tools play an important role in such investigative efforts. Check Point makes this possible with its InfinitySOC solution. Check Point researchers have integrated publicly available Sunburst indicators as well as proprietary intelligence data into InfinitySOC. Administrators can leverage the cloud-based platform to search for Sunburst indicators within network, cloud and endpoint environments. The solution also provides event investigation tools to drill-down into findings to validate and plan remediation steps.
    In the following screenshot we see identified Sunburst indicators with their corresponding addresses, associated risk levels attack family association. In addition we see timeline charts that represent the number of connections to the Sunburst indicators


  • For full technical details on our response to the SolarWinds attack click here