A Fifth of Sunburst Backdoor Victims from Manufacturing Industry

Nearly a fifth of organizations hit by the Sunburst backdoor emanating from the SolarWinds supply chain attack are from the manufacturing sector, a new analysis from Kaspersky has revealed.

While researchers have already uncovered technical details of the Sunburst backdoor that was embedded in the SolarWinds incident late last year, information of the full impact of the attack is still being investigated. It has been officially confirmed that around 18,000 users may have installed backdoor versions of SolarWinds, potentially leaving them at risk of further attack, but Kaspersky sought to gain more information on the types of organizations affected.

To do so, Kaspersky ICS CERT researchers compiled a list of nearly 2000 readable and attributable domains from available decoded internal domain names obtained from DNS names generated by the Sunburst DomainName Generation Algorithm. This showed that around a third (32.4%) of all victims were industrial organizations, with manufacturing (18.11% of all victims) by far the most affected. This was followed by utilities (3.24%), construction (3.03%), transportation and logistics (2.97%) and oil and gas (1.35%).

The regions in which these industrial organizations were based were wide-ranging, including Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan, Uganda and the US.

Maria Garnaeva, senior security researcher at Kaspersky, commented: “The SolarWinds software is highly integrated into many systems around the globe in different industries and, as a result, the scale of the Sunburst attack is unparalleled – a lot of organizations that had been affected might have not been of interest to the attackers initially. While we do not have evidence of a second-stage attack among these victims, we should not rule out the possibility that it may come in the future. Therefore, it is crucial for organizations that may be victims of the attack to rule out the infection and make sure they have the right incident response procedures in place.”

The cybersecurity firm advised that possible victims of the SolarWinds compromise should check whether they have installed backdoored versions and look out for known indicators of compromise, as displayed in CISA’s Alert AA20-35A.

As the fallout of the high profile incident continues, earlier this week several more cybersecurity vendors revealed that they were attacked by the same threat actors that compromised SolarWinds.

What’s Hot on Infosecurity Magazine?