APT group: UNC2452, Dark Halo, SolarStorm| Names | UNC2452 (FireEye) Dark Halo (Volexity) SolarStorm (Palo Alto) StellarParticle (CrowdStrike) | |
| Country |  Russia | |
| Sponsor | State-sponsored | |
| Motivation | Information theft and espionage | |
| First seen | 2019 | |
| Description | Security organization FireEye was hit by a security breach in early December. Analyzing how the breach happened, they found it was done through a malicious software update of the SolarWinds Orion platform – i.e. a supply-chain attack. Following the malicious infrastructure, they then found they were only one instance in a massive breach at many more organizations, many of which are government and military agencies. SolarWinds is an IT (asset) management platform that is used by around 300,000 customers worldwide, of which around 425 of the Fortune 500, as well as many critical infrastructure organizations. As for attribution, FireEye tracks this threat actor under the neutral name “UNC2452”. In the media, however, unconfirmed sources point to a well-known APT called APT 29, Cozy Bear, The Dukes, believed to be a Russian government sponsored group. Kaspersky’s findings may link this breach to another Russian APT group, Turla, Waterbug, Venomous Bear. The investigation is still in active progress. You can follow the news in our extensive (almost) daily updated whitepaper listed below. | |
| Observed | ||
| Tools used | 7-Zip, AdFind, Cobalt Strike, Mimikatz, RAINDROP, SUNBURST, SUNSPOT, SUPERNOVA, TEARDROP. | |
| Information | <https://www.dropbox.com/s/yu5uwsfyo9q4oj2/Whitepaper%20SolarWinds%20Orion%20Supply-chain%20Attack.pdf?dl=0> | |
Last change to this card: 20 January 2021
|
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1234 | |
 |
report@thaicert.or.th | |
 |
Download PGP key | |