SolarWinds Victims Revealed After Cracking The Sunburst Malware DGA

Security researchers have shared lists of organizations where threat actors deployed Sunburst/Solarigate malware, after ongoing investigations of the SolarWinds supply chain attack.

One of these lists—shared by cybersecurity firm Truesec—includes high-profile tech companies such as Intel, Nvidia, Cisco, Cox Communications, and Belkin, to name just a few.

Mediatek, the world’s second-largest provider of fabless semiconductors, might have also been specifically targeted in this campaign but TrueSec hasn’t yet fully confirmed the breach at this point.

How lists of SolarWinds victims were built

To build the list of victims infected with the Sunburst backdoor via the compromised update mechanism of the SolarWinds Orion IT management platform, the researchers decoded a dynamically generated part of the C2 subdomain for each of the compromised devices.

The list of encoded C2 subdomains used by the Sunburst malware was harvested from passive DNS (pDNS) datasets and web traffic pointing to the main avsvmcloud[.]com C2 domain contacted by the backdoor to exfiltrate stolen data.

Also Read: Key PDPA Amendments 2019/2020 You Should Know

By decoding this list of subdomains generated by the malware’s domain generation algorithm (DGA), TrueSec and other security firms including QiAnXin RedDrip, Kaspersky, and Prevasio [1, 2], were able to find many well-known organizations that have already or may disclose targeted attacks later on.

Organizations breached by the SolarWinds hackers

While Microsoft also found that more than 40 of its customers had their networks infiltrated following the SolarWinds supply chain attack, the company notified them but did not disclose their identity. Redmond did say that 80% of the victims were from the US and 44% were in the IT sector.

FireEye, Microsoft, and VMware were also breached by the hackers behind the SolarWinds supply chain attack but only FireEye was targeted for the second stage of the attack and had information stolen from its network.

Even though SolarWinds said that the malicious Orion updates were installed by roughly 18,000 customers in this attack, the threat actors who orchestrated it (tracked by FireEye as UNC2452 and by Volexity as Dark Halo) only targeted ‘high value’ orgs for further exploitation.

The known list of organizations hit by the SolarWinds supply chain attack also includes multiple US states and government agencies:

• U.S. Department of the Treasury
• U.S. National Telecommunications and Information Administration (NTIA)
• U.S. Department of State
• The National Institutes of Health (NIH) (Part of the U.S. Department of Health)
• U.S. Department of Homeland Security (DHS)
• U.S. Department of Energy (DOE)
• U.S. National Nuclear Security Administration (NNSA)
• Some US states (Specific states are undisclosed)

The (partial) end result

TrueSec’s extensive list of decoded Sunburst C2 subdomains provides a list of internal organization names that weren’t only infected with the backdoor but were also individually targeted and where the hackers likely escalated their attacks to further internal compromise.

“We have decoded the DGA parts of the requests to identify internal domain names of compromised organizations, correlated that with the responses received from the threat actor server, and mapped them with the hardcoded list of IP ranges in the backdoor code,” TrueSec said.

This allowed the researchers to get a partial list of breached organizations, as well as pinpoint the ones which were singled out by the hacking group for the second stage of the attack.

“This list contains the decoded values of internal domain names. We can therefore only assume that they belong to an organization based on the name of the domains and publicly available information,” TrueSec added.

“More information will be disclosed during the upcoming months but the full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.”

The current list of decoded internal names for some of the companies that were breached by the SolarWinds hackers is embedded below (the organization names might be inaccurate given that they are based on decoded internal names).

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

Decoded Internal Name	Organization (possibly inaccurate)	Response Address Family	Command	First Seen
mnh.rg-law.ac.il	College of Law and Business, Israel	NetBios	HTTP Backdoor	2020-05-26
ad001.mtk.lo	Mediatek	NetBios	HTTP Backdoor	2020-08-26
Aeria		NetBios	HTTP Backdoor	2020-06-26
Ameri		NetBios	HTTP Backdoor	2020-08-02
ank.com	Ankcom Communications	NetBios	HTTP Backdoor	2020-06-06
azlcyy		NetBios	HTTP Backdoor	2020-08-07
banccentral.com	BancCentral Financial Services Corp.	NetBios	HTTP Backdoor	2020-07-03
barrie.ca	City of Barrie	NetBios	HTTP Backdoor	2020-05-13
BCC.l		NetBios	HTTP Backdoor	2020-08-22
bhq.lan		NetBios	HTTP Backdoor	2020-08-18
cds.capilanou.	Capilano University	NetBios	HTTP Backdoor	2020-08-27
Centr		NetBios	HTTP Backdoor	2020-06-24
chc.dom		NetBios	HTTP Backdoor	2020-08-04
christieclinic.	Christie Clinic Telehealth	NetBios	HTTP Backdoor	2020-04-22
CIMBM		NetBios	HTTP Backdoor	2020-09-25
CIRCU		NetBios	HTTP Backdoor	2020-05-30
CONSO		NetBios	HTTP Backdoor	2020-06-17
corp.ptci.com	Pioneer Telephone Scholarship Recipients	NetBios	HTTP Backdoor	2020-06-19
corp.stingraydi	Stingray (Media and entertainment)	NetBios	HTTP Backdoor	2020-06-10
corp.stratusnet	Stratus Networks	NetBios	HTTP Backdoor	2020-04-28
cosgroves.local	Cosgroves (Building services consulting)	NetBios	HTTP Backdoor	2020-08-25
COTES	Cotes (Humidity Management)	NetBios	HTTP Backdoor	2020-07-25
csnt.princegeor	City of Prince George	NetBios	HTTP Backdoor	2020-09-18
cys.local	CYS Group (Marketing analytics)	NetBios	HTTP Backdoor	2020-07-10
digitalsense.co	Digital Sense (Cloud Services)	NetBios	HTTP Backdoor	2020-06-24
ehtuh-		NetBios	HTTP Backdoor	2020-05-01
escap.org		NetBios	HTTP Backdoor	2020-07-10
f.gnam		NetBios	HTTP Backdoor	2020-04-04
fhc.local		NetBios	HTTP Backdoor	2020-07-06
fidelitycomm.lo	Fidelity Communications (ISP)	NetBios	HTTP Backdoor	2020-06-02
fisherbartoninc.com	The Fisher Barton Group (Blade Manufacturer)	NetBios	HTTP Backdoor	2020-05-15
fmtn.ad	City of Farmington	NetBios	HTTP Backdoor	2020-07-21
FWO.I		NetBios	HTTP Backdoor	2020-08-05
ggsg-us.cisco	Cisco GGSG	NetBios	HTTP Backdoor	2020-06-24
ghsmain1.ggh.g		NetBios	HTTP Backdoor	2020-06-09
gxw		NetBios	HTTP Backdoor	2020-07-07
htwanmgmt.local		NetBios	HTTP Backdoor	2020-07-22
ieb.go.id		NetBios	HTTP Backdoor	2020-06-12
int.ncahs.net		NetBios	HTTP Backdoor	2020-09-23
internal.jtl.c		NetBios	HTTP Backdoor	2020-05-19
ironform.com	Ironform (metal fabrication)	NetBios	HTTP Backdoor	2020-06-19
isi		NetBios	HTTP Backdoor	2020-07-06
itps.uk.net	Infection Prevention Society (IPS)	NetBios	HTTP Backdoor	2020-08-11
jxxyx.		NetBios	HTTP Backdoor	2020-06-26
kcpl.com	Kansas City Power and Light Company	NetBios	HTTP Backdoor	2020-07-07
keyano.local	Keyano College	NetBios	HTTP Backdoor	2020-06-03
khi0kl		NetBios	HTTP Backdoor	2020-08-26
lhc_2f		NetBios	HTTP Backdoor	2020-04-18
lufkintexas.net	Lufkin (City in Texas)	NetBios	HTTP Backdoor	2020-07-07
magnoliaisd.loc	Magnolia Independent School District	NetBios	HTTP Backdoor	2020-06-01
MOC.l		NetBios	HTTP Backdoor	2020-04-30
moncton.loc	City of Moncton	NetBios	HTTP Backdoor	2020-08-25
mountsinai.hosp	Mount Sinai Hospital	NetBios	HTTP Backdoor	2020-07-02
netdecisions.lo	Netdecisions (IT services)	NetBios	HTTP Backdoor	2020-10-04
newdirections.k		NetBios	HTTP Backdoor	2020-04-21
nswhealth.net	NSW Health	NetBios	HTTP Backdoor	2020-06-12
nzi_9p		NetBios	HTTP Backdoor	2020-08-04
city.kingston.on.ca	City of Kingston, Ontario, Canada	NetBios	HTTP Backdoor	2020-06-15
dufferincounty.on.ca	Dufferin County, Ontario, Canada	NetBios	HTTP Backdoor	2020-07-17
osb.local		NetBios	HTTP Backdoor	2020-04-28
oslerhc.org	William Osler Health System	NetBios	HTTP Backdoor	2020-07-11
pageaz.gov	City of Page	NetBios	HTTP Backdoor	2020-04-19
pcsco.com	Professional Computer Systems	NetBios	HTTP Backdoor	2020-07-23
pkgix_		NetBios	HTTP Backdoor	2020-07-15
pqcorp.com	PQ Corporation	NetBios	HTTP Backdoor	2020-07-02
prod.hamilton.	Hamilton Company	NetBios	HTTP Backdoor	2020-08-19
resprod.com	Res Group (Renewable energy company)	NetBios	HTTP Backdoor	2020-05-06
RPM.l		NetBios	HTTP Backdoor	2020-05-28
sdch.local	South Davis Community Hospital	NetBios	HTTP Backdoor	2020-05-18
servitia.intern		NetBios	HTTP Backdoor	2020-06-16
sfsi.stearnsban	Stearns Bank	NetBios	HTTP Backdoor	2020-08-02
signaturebank.l	Signature Bank	NetBios	HTTP Backdoor	2020-06-25
sm-group.local	SM Group (Distribution)	NetBios	HTTP Backdoor	2020-07-07
te.nz	TE Connectivity (Sensor manufacturer)	NetBios	HTTP Backdoor	2020-05-13
thx8xb		NetBios	HTTP Backdoor	2020-06-16
tx.org		NetBios	HTTP Backdoor	2020-07-15
usd373.org	Newton Public Schools	NetBios	HTTP Backdoor	2020-08-01
uzq		NetBios	HTTP Backdoor	2020-10-02
ville.terrebonn	Ville de Terrebonne	NetBios	HTTP Backdoor	2020-08-02
wrbaustralia.ad	W. R. Berkley Insurance Australia	NetBios	HTTP Backdoor	2020-07-11
ykz		NetBios	HTTP Backdoor	2020-07-11
2iqzth		ImpLink	Enum processes	2020-06-17
3if.2l	3IF (Industrial Internet)	ImpLink	Enum processes	2020-08-20
airquality.org	Sacramento Metropolitan Air Quality Management District	ImpLink	Enum processes	2020-08-09
ansc.gob.pe	GOB (Digital Platform of the Peruvian State)	ImpLink	Enum processes	2020-07-25
bcofsa.com.ar	Banco de Formosa	ImpLink	Enum processes	2020-07-13
bi.corp		ImpLink	Enum processes	2020-12-14
bop.com.pk	The Bank of Punjab	ImpLink	Enum processes	2020-09-18
camcity.local		ImpLink	Enum processes	2020-08-07
cow.local		ImpLink	Enum processes	2020-06-13
deniz.denizbank	DenizBank	ImpLink	Enum processes	2020-11-14
ies.com	IES Communications (Communications technology)	ImpLink	Enum processes	2020-06-11
insead.org	INSEAD Business School	ImpLink	Enum processes	2020-11-07
KS.LO		ImpLink	Enum processes	2020-07-10
mixonhill.com	Mixon Hill (intelligent transportation systems)	ImpLink	Enum processes	2020-04-29
ni.corp.natins		ImpLink	Enum processes	2020-10-24
phabahamas.org	Public Hospitals Authority, Caribbean	ImpLink	Enum processes	2020-11-05
rbe.sk.ca	Regina Public Schools	ImpLink	Enum processes	2020-08-20
spsd.sk.ca	Saskatoon Public Schools	ImpLink	Enum processes	2020-06-12
yorkton.cofy	Community Options for Families & Youth	ImpLink	Enum processes	2020-05-08
.sutmf		Ipx	Update config	2020-06-25
atg.local		No Match	Unknown	2020-05-11
bisco.int	Bisco International (Adhesives and tapes)	No Match	Unknown	2020-04-30
ccscurriculum.c		No Match	Unknown	2020-04-18
e-idsolutions.	IDSolutions (video conferencing)	No Match	Unknown	2020-07-16
ETC1.		No Match	Unknown	2020-08-01
gk5		No Match	Unknown	2020-07-09
grupobazar.loca		No Match	Unknown	2020-06-07
internal.hws.o		No Match	Unknown	2020-05-23
n2k		No Match	Unknown	2020-07-12
publiser.it		No Match	Unknown	2020-07-05
us.deloitte.co	Deloitte	No Match	Unknown	2020-07-08
ush.com		No Match	Unknown	2020-06-15
xijtt-		No Match	Unknown	2020-07-21
xnet.kz	X NET (IT provider in Kazakhstan)	No Match	Unknown	2020-06-09
zu0		No Match	Unknown	2020-08-13
staff.technion.ac.il		N/A	N/A	N/A
digitalreachinc.com		N/A	N/A	N/A
orient-express.com		N/A	N/A	N/A
tr.technion.ac.il		N/A	N/A	N/A
lasers.state.la.us		N/A	N/A	N/A
ABLE.		N/A	N/A	N/A
abmuh_		N/A	N/A	N/A
acmedctr.ad		N/A	N/A	N/A
ad.azarthritis.com		N/A	N/A	N/A
ad.library.ucla.edu		N/A	N/A	N/A
ad.optimizely.		N/A	N/A	N/A
admin.callidusc		N/A	N/A	N/A
aerioncorp.com		N/A	N/A	N/A
agloan.ads		N/A	N/A	N/A
ah.org		N/A	N/A	N/A
AHCCC		N/A	N/A	N/A
allegronet.co.		N/A	N/A	N/A
alm.brand.dk		N/A	N/A	N/A
amalfi.local		N/A	N/A	N/A
americas.phoeni		N/A	N/A	N/A
amr.corp.intel		N/A	N/A	N/A
apu.mn		N/A	N/A	N/A
ARYZT		N/A	N/A	N/A
b9f9hq		N/A	N/A	N/A
BE.AJ		N/A	N/A	N/A
belkin.com		N/A	N/A	N/A
bk.local		N/A	N/A	N/A
bmrn.com		N/A	N/A	N/A
bok.com		N/A	N/A	N/A
btb.az		N/A	N/A	N/A
c4e-internal.c		N/A	N/A	N/A
calsb.org		N/A	N/A	N/A
casino.prv		N/A	N/A	N/A
cda.corp		N/A	N/A	N/A
central.pima.g		N/A	N/A	N/A
cfsi.local		N/A	N/A	N/A
ch.local		N/A	N/A	N/A
ci.dublin.ca.		N/A	N/A	N/A
cisco.com		N/A	N/A	N/A
corp.dvd.com		N/A	N/A	N/A
corp.sana.com		N/A	N/A	N/A
Count		N/A	N/A	N/A
COWI.		N/A	N/A	N/A
coxnet.cox.com		N/A	N/A	N/A
CRIHB		N/A	N/A	N/A
cs.haystax.loc		N/A	N/A	N/A
csa.local		N/A	N/A	N/A
csci-va.com		N/A	N/A	N/A
csqsxh		N/A	N/A	N/A
DCCAT		N/A	N/A	N/A
deltads.ent		N/A	N/A	N/A
detmir-group.r		N/A	N/A	N/A
dhhs-		N/A	N/A	N/A
dmv.state.nv.		N/A	N/A	N/A
dotcomm.org		N/A	N/A	N/A
DPCIT		N/A	N/A	N/A
dskb2x		N/A	N/A	N/A
e9.2pz		N/A	N/A	N/A
ebe.co.roanoke.va.us		N/A	N/A	N/A
ecobank.group		N/A	N/A	N/A
ecocorp.local		N/A	N/A	N/A
epl.com		N/A	N/A	N/A
fremont.lamrc.		N/A	N/A	N/A
FSAR.		N/A	N/A	N/A
ftfcu.corp		N/A	N/A	N/A
gksm.local		N/A	N/A	N/A
gloucesterva.ne		N/A	N/A	N/A
glu.com		N/A	N/A	N/A
gnb.local		N/A	N/A	N/A
gncu.local		N/A	N/A	N/A
gsf.cc		N/A	N/A	N/A
gyldendal.local		N/A	N/A	N/A
helixwater.org		N/A	N/A	N/A
hgvc.com		N/A	N/A	N/A
ia.com		N/A	N/A	N/A
inf.dc.net		N/A	N/A	N/A
ingo.kg		N/A	N/A	N/A
innout.corp		N/A	N/A	N/A
int.lukoil-international.uz		N/A	N/A	N/A
intensive.int		N/A	N/A	N/A
ions.com		N/A	N/A	N/A
its.iastate.ed		N/A	N/A	N/A
jarvis.lab		N/A	N/A	N/A
-jlowd		N/A	N/A	N/A
jn05n8		N/A	N/A	N/A
jxb3eh		N/A	N/A	N/A
k.com		N/A	N/A	N/A
LABEL		N/A	N/A	N/A
milledgeville.l		N/A	N/A	N/A
nacr.com		N/A	N/A	N/A
ncpa.loc		N/A	N/A	N/A
neophotonics.co		N/A	N/A	N/A
net.vestfor.dk		N/A	N/A	N/A
nih.if		N/A	N/A	N/A
nvidia.com		N/A	N/A	N/A
on-pot		N/A	N/A	N/A
ou0yoy		N/A	N/A	N/A
paloverde.local		N/A	N/A	N/A
pl8uw0		N/A	N/A	N/A
q9owtt		N/A	N/A	N/A
rai.com		N/A	N/A	N/A
rccf.ru		N/A	N/A	N/A
repsrv.com		N/A	N/A	N/A
ripta.com		N/A	N/A	N/A
roymerlin.com		N/A	N/A	N/A
rs.local		N/A	N/A	N/A
rst.atlantis-pak.ru		N/A	N/A	N/A
sbywx3		N/A	N/A	N/A
sc.pima.gov		N/A	N/A	N/A
scif.com		N/A	N/A	N/A
SCMRI		N/A	N/A	N/A
scroot.com		N/A	N/A	N/A
seattle.interna		N/A	N/A	N/A
securview.local		N/A	N/A	N/A
SFBAL		N/A	N/A	N/A
SF-Li		N/A	N/A	N/A
siskiyous.edu		N/A	N/A	N/A
sjhsagov.org		N/A	N/A	N/A
Smart		N/A	N/A	N/A
smes.org		N/A	N/A	N/A
sos-ad.state.nv.us		N/A	N/A	N/A
sro.vestfor.dk		N/A	N/A	N/A
superior.local		N/A	N/A	N/A
swd.local		N/A	N/A	N/A
ta.org		N/A	N/A	N/A
taylorfarms.com		N/A	N/A	N/A
thajxq		N/A	N/A	N/A
thoughtspot.int		N/A	N/A	N/A
tsyahr		N/A	N/A	N/A
tv2.local		N/A	N/A	N/A
uis.kent.edu		N/A	N/A	N/A
uncity.dk		N/A	N/A	N/A
uont.com		N/A	N/A	N/A
viam-invenient		N/A	N/A	N/A
vms.ad.varian.com		N/A	N/A	N/A
vsp.com		N/A	N/A	N/A
WASHO		N/A	N/A	N/A
weioffice.com		N/A	N/A	N/A
wfhf1.hewlett.		N/A	N/A	N/A
woodruff-sawyer		N/A	N/A	N/A
HQ.RE-wwgi2xnl		N/A	N/A	N/A
xdxinc.net		N/A	N/A	N/A
y9k.in		N/A	N/A	N/A
zeb.i8		N/A	N/A	N/A
zippertubing.co		N/A	N/A	N/A