Home > List all groups > UNC2452, Dark Halo, SolarStorm

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: UNC2452, Dark Halo, SolarStorm

NamesUNC2452 (FireEye)
Dark Halo (Volexity)
SolarStorm (Palo Alto)
StellarParticle (CrowdStrike)
CountryRussia Russia
MotivationInformation theft and espionage
First seen2019
DescriptionSecurity organization FireEye was hit by a security breach in early December. Analyzing how the breach happened, they found it was done through a malicious software update of the SolarWinds Orion platform – i.e. a supply-chain attack.

Following the malicious infrastructure, they then found they were only one instance in a massive breach at many more organizations, many of which are government and military agencies.

SolarWinds is an IT (asset) management platform that is used by around 300,000 customers worldwide, of which around 425 of the Fortune 500, as well as many critical infrastructure organizations.

As for attribution, FireEye tracks this threat actor under the neutral name “UNC2452”. In the media, however, unconfirmed sources point to a well-known APT called APT 29, Cozy Bear, The Dukes, believed to be a Russian government sponsored group. Kaspersky’s findings may link this breach to another Russian APT group, Turla, Waterbug, Venomous Bear.

The investigation is still in active progress. You can follow the news in our extensive (almost) daily updated whitepaper listed below.
Tools used7-Zip, AdFind, Cobalt Strike, Mimikatz, RAINDROP, SUNBURST, SUNSPOT, SUPERNOVA, TEARDROP.

Last change to this card: 20 January 2021

Download this actor card in PDF or JSON format

Previous: UltraRank
Next: Urpage

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key