Skip to content

Hide Navigation Hide TOC

SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)

SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6) Malware 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 2
Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern 2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2