C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
Analyst context for executives and security teams
The SolarWinds Compromise matters because it shows how a trusted software update and identity access can become the path into many organizations at once. For leaders, the decision value is not only “was SolarWinds present,” but whether the organization can prove which software supply-chain paths, privileged accounts, tokens, APIs, and remote administration channels would reveal follow-on compromise quickly enough to protect operations.
Executive priority
Prioritize this as a supply-chain, identity, and incident-readiness benchmark. The ATT&CK record describes malicious code injected into the SolarWinds Orion build process, followed by activity such as password spraying, token theft, API abuse, spear phishing, and follow-on access. Executives should ask whether vendor software risk, privileged identity monitoring, cloud/API auditability, and cross-environment incident response are funded and evidenced well enough for regulators, boards, and customers after a major supplier-driven incident.
Technical view
MITRE provides no campaign-level detection text, so defenders should validate coverage from the related behaviors and tools. The relationship set ties the campaign to APT29 and to tools/malware including SUNBURST, SUNSPOT, TEARDROP, Raindrop, GoldMax, Sibot, GoldFinder, TrailBlazer, Mimikatz, Cobalt Strike, and AdFind. It also maps use of DCSync, local data collection, internet and remote system discovery, RDP, SMB/admin shares, WinRM, masquerading, WMI, encrypted exfiltration, and scheduled tasks. SOC and IR teams should test whether endpoint, identity, directory services, network, and administrative activity logs can reconstruct these paths across Windows-heavy environments and any related Linux, macOS, ESXi, or network-device telemetry referenced by mapped techniques.
Likely telemetry
- Software inventory and update history for SolarWinds Orion or other high-trust enterprise software where locally applicable
- Endpoint process, module/DLL, service, scheduled task, WMI, and script execution telemetry
- Windows authentication, RDP, SMB/admin share, WinRM, and lateral movement logs
- Active Directory and domain controller replication-related events relevant to DCSync-style abuse
- Identity provider, token, API, and cloud audit logs where accounts and APIs are in scope
Detection direction
- Do not rely on a single SolarWinds indicator; validate the full chain from software update trust to identity abuse, lateral movement, discovery, persistence, and exfiltration.
- Tune detections around abnormal use of legitimate administration channels such as RDP, SMB/admin shares, WinRM, WMI, and scheduled tasks, with allowlists for expected admin activity to reduce false positives.
- Review privileged account and domain controller monitoring for replication-like behavior associated with DCSync, especially where highly privileged rights are broadly assigned.
- Correlate directory enumeration tools such as AdFind, credential access tooling such as Mimikatz, and post-exploitation frameworks such as Cobalt Strike with account context, host role, and remote logon history.
- Validate retention and access to identity/API/token logs; the campaign description specifically includes token theft and API abuse, which may be missed if monitoring is endpoint-only.
Mitigation priorities
- Start with incident-readiness evidence: maintain authoritative software inventory, supplier exposure records, and the ability to identify affected hosts and update timelines quickly.
- Harden identity paths: reduce standing privilege, review domain replication rights, enforce strong authentication where applicable, and monitor token/API use for abnormal access.
- Restrict and monitor remote administration protocols such as RDP, SMB/admin shares, WinRM, WMI, and scheduled task creation to known administrators, management hosts, and approved workflows.
- Improve endpoint and directory telemetry coverage before tuning advanced detections; missing logs will prevent reconstruction of follow-on compromise.
- Segment critical systems and high-value management infrastructure so supplier-origin access or compromised credentials do not automatically provide broad lateral movement.
Analyst notes and limits
This ATT&CK object is a campaign, not a single technique. Its value for defensive planning comes from the relationship context: APT29 attribution, named malware/tools, and mapped techniques spanning supply-chain compromise, credential access, discovery, lateral movement, persistence, stealth, collection, and exfiltration. Use it as a scenario for control validation rather than as a standalone detection rule.
Official detection is not provided and the campaign object itself lists no platforms or tactics. Platform and tactic guidance above is derived only from supplied related software and technique records. Local exposure, tool presence, vendor history, and actual detection coverage require environment-specific evidence.
SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1606.002 | SAML Tokens Sub-technique | During the SolarWinds Compromise, APT29 created tokens using compromised SAML signing certificates.CitationMicrosoft - Customer Guidance on Recent Nation-State Cyber AttacksCitationSecureworks IRON RITUAL Profile |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | During the SolarWinds Compromise, APT29 used a compromised O365 administrator account to create a new Service Principal.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During the SolarWinds Compromise, APT29 used `scheduler` and `schtasks` to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted.CitationVolexity SolarWindsCitationFireEye SUNBURST Backdoor December 2020CitationCrowdStrike SUNSPOT Implant January 2021 |
| Enterprise | T1087.002 | Domain Account Sub-technique | During the SolarWinds Compromise, APT29 used PowerShell to discover domain accounts by exectuing `Get-ADUser` and `Get-ADGroupMember`.CitationCrowdStrike StellarParticle January 2022CitationSecureworks IRON RITUAL Profile |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | During the SolarWinds Compromise, APT29 used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of Cobalt Strike to use a network pipe over SMB.CitationCrowdStrike StellarParticle January 2022CitationSymantec RAINDROP January 2021 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using `New-MailboxExportRequest` followed by `Get-MailboxExportRequest`.CitationVolexity SolarWindsCitationCybersecurity Advisory SVR TTP May 2021 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | During the SolarWinds Compromise, APT29 used AdFind to enumerate domain groups.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1057 | Process Discovery | During the SolarWinds Compromise, APT29 used multiple command-line utilities to enumerate running processes.CitationVolexity SolarWindsCitationMicrosoft Deep Dive Solorigate January 2021CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1584.001 | Domains Sub-technique | For the SolarWinds Compromise, APT29 compromised domains to use for C2.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | During the SolarWinds Compromise, APT29 used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1550 | Use Alternate Authentication Material | During the SolarWinds Compromise, APT29 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling APT29 to access enterprise cloud applications and services.CitationMicrosoft 365 Defender SolorigateCitationSecureworks IRON RITUAL Profile |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | During the SolarWinds Compromise, APT29 stole users' saved passwords from Chrome.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During the SolarWinds Compromise, APT29 used domain administrators' accounts to help facilitate lateral movement on compromised networks.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.CitationVolexity SolarWindsCitationMicrosoft Analyzing Solorigate Dec 2020 |
| Enterprise | T1665 | Hide Infrastructure | During the SolarWinds Compromise, APT29 set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure.CitationFireEye SUNBURST Backdoor December 2020 |
| Enterprise | T1098.002 | Additional Email Delegate Permissions Sub-technique | During the SolarWinds Compromise, APT29 added their own devices as allowed IDs for active sync using `Set-CASMailbox`, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.CitationVolexity SolarWindsCitationMicrosoft - Customer Guidance on Recent Nation-State Cyber AttacksCitationMSTIC Nobelium Oct 2021 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During the SolarWinds Compromise, APT29 used RDP sessions from public-facing systems to internal servers.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1213 | Data from Information Repositories | During the SolarWinds Compromise, APT29 accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | During the SolarWinds Compromise, APT29 used administrative accounts to connect over SMB to targeted users.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | For the SolarWinds Compromise, APT29 wrote malware such as Sibot in Visual Basic.CitationCybersecurity Advisory SVR TTP May 2021 |
| Enterprise | T1568 | Dynamic Resolution | During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.CitationVolexity SolarWinds |
| Enterprise | T1589.001 | Credentials Sub-technique | For the SolarWinds Compromise, APT29 conducted credential theft operations to obtain credentials to be used for access to victim environments.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1552.004 | Private Keys Sub-technique | During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.CitationMicrosoft 365 Defender SolorigateCitationCybersecurity Advisory SVR TTP May 2021 |
| Enterprise | T1587.001 | Malware Sub-technique | For the SolarWinds Compromise, APT29 used numerous pieces of malware that were likely developed for or by the group, including SUNBURST, SUNSPOT, Raindrop, and TEARDROP.CitationFireEye SUNBURST Backdoor December 2020CitationCrowdStrike SUNSPOT Implant January 2021CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.CitationSymantec RAINDROP January 2021 |
| Enterprise | T1005 | Data from Local System | During the SolarWinds Compromise, APT29 extracted files from compromised networks.CitationVolexity SolarWinds |
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | During the SolarWinds Compromise, APT29, used `AUDITPOL` to prevent the collection of audit logs.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1083 | File and Directory Discovery | During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using `Get-WebServicesVirtualDirectory`.CitationVolexity SolarWinds |
| Enterprise | T1069 | Permission Groups Discovery | During the SolarWinds Compromise, APT29 used the `Get-ManagementRoleAssignment` PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.CitationVolexity SolarWinds |
| Enterprise | T1018 | Remote System Discovery | During the SolarWinds Compromise, APT29 used AdFind to enumerate remote systems.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | During the SolarWinds Compromise, APT29 used WinRM via PowerShell to execute commands and payloads on remote hosts.CitationSymantec RAINDROP January 2021 |
| Enterprise | T1550.001 | Application Access Token Sub-technique | During the SolarWinds Compromise, APT29 used compromised service principals to make changes to the Office 365 environment.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1098.003 | Additional Cloud Roles Sub-technique | During the SolarWinds Compromise, APT29 granted `company administrator` privileges to a newly created service principle.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | During the SolarWinds Compromise, APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.CitationFireEye SUNBURST Backdoor December 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | During the SolarWinds Compromise, APT29 used `Rundll32.exe` to execute payloads.CitationMicrosoft - Customer Guidance on Recent Nation-State Cyber AttacksCitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | During the SolarWinds Compromise, APT29 used a WMI event filter to invoke a command-line event consumer at system boot time to launch a backdoor with `rundll32.exe`.CitationMicrosoft Deep Dive Solorigate January 2021CitationMicrosoft 365 Defender Solorigate |
| Enterprise | T1190 | Exploit Public-Facing Application | During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.CitationVolexity SolarWindsCitationCybersecurity Advisory SVR TTP May 2021 |
| Enterprise | T1213.003 | Code Repositories Sub-technique | During the SolarWinds Compromise, APT29 downloaded source code from code repositories.CitationMicrosoft Internal Solorigate Investigation Blog |
| Enterprise | T1686 | Disable or Modify System Firewall | During the SolarWinds Compromise, APT29 used `netsh` to configure firewall rules that limited certain UDP outbound packets.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.CitationVolexity SolarWindsCitationMicrosoft Analyzing Solorigate Dec 2020CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During the SolarWinds Compromise, APT29 routinely removed their tools, including custom backdoors, once remote access was achieved.CitationFireEye SUNBURST Backdoor December 2020 |
| Enterprise | T1539 | Steal Web Session Cookie | During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1606.001 | Web Cookies Sub-technique | During the SolarWinds Compromise, APT29 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.CitationVolexity SolarWinds |
| Enterprise | T1550.004 | Web Session Cookie Sub-technique | During the SolarWinds Compromise, APT29 used stolen cookies to access cloud resources and a forged `duo-sid` cookie to bypass MFA set on an email account.CitationVolexity SolarWindsCitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | During the SolarWinds Compromise, APT29 staged data and files in password-protected archives on a victim's OWA server.CitationVolexity SolarWinds |
| Enterprise | T1098.005 | Device Registration Sub-technique | During the SolarWinds Compromise, APT29 registered devices in order to enable mailbox syncing via the `Set-CASMailbox` command.CitationVolexity SolarWinds |
| Enterprise | T1133 | External Remote Services | For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools.CitationMSTIC NOBELIUM Mar 2021CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1199 | Trusted Relationship | During the SolarWinds Compromise, APT29 gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.CitationCybersecurity Advisory SVR TTP May 2021CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During the SolarWinds Compromise, APT29 used `cmd.exe` to execute commands on remote machines.CitationVolexity SolarWindsCitationMicrosoft Analyzing Solorigate Dec 2020 |
| Enterprise | T1070.006 | Timestomp Sub-technique | During the SolarWinds Compromise, APT29 modified timestamps of backdoors to match legitimate Windows files.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | During the SolarWinds Compromise, APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1680 | Local Storage Discovery | During the SolarWinds Compromise, APT29 used `fsutil` to check available free space before executing actions that might create large files on disk.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1685 | Disable or Modify Tools | During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access.CitationFireEye SUNBURST Backdoor December 2020 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | During the SolarWinds Compromise, APT29 used compromised local accounts to access victims' networks.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1070 | Indicator Removal | During the SolarWinds Compromise, APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.CitationFireEye SUNBURST Backdoor December 2020 |
| Enterprise | T1003.006 | DCSync Sub-technique | During the SolarWinds Compromise, APT29 used privileged accounts to replicate directory service data with domain controllers.CitationMicrosoft 365 Defender SolorigateCitationMicrosoft Deep Dive Solorigate January 2021CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | During the SolarWinds Compromise, APT29 named tasks `\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager` in order to appear legitimate.CitationVolexity SolarWinds |
| Enterprise | T1098.001 | Additional Cloud Credentials Sub-technique | During the SolarWinds Compromise, APT29 added credentials to OAuth Applications and Service Principals.CitationMicrosoft - Customer Guidance on Recent Nation-State Cyber AttacksCitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1482 | Domain Trust Discovery | During the SolarWinds Compromise, APT29 used the `Get-AcceptedDomain` PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.CitationVolexity SolarWinds They also used AdFind to enumerate domains and to discover trust between federated domains.CitationCrowdStrike StellarParticle January 2022CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1555 | Credentials from Password Stores | During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement.CitationMicrosoft 365 Defender SolorigateCitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | During the SolarWinds Compromise, APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.CitationSolarWinds Sunburst Sunspot Update January 2021CitationFireEye SUNBURST Backdoor December 2020CitationCybersecurity Advisory SVR TTP May 2021CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | During the SolarWinds Compromise, APT29 removed evidence of email export requests using `Remove-MailboxExportRequest`.CitationVolexity SolarWinds |
| Enterprise | T1484.002 | Trust Modification Sub-technique | During the SolarWinds Compromise, APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.CitationSecureworks IRON RITUAL ProfileCitationMicrosoft 365 Defender Solorigate |
| Enterprise | T1583.001 | Domains Sub-technique | For the SolarWinds Compromise, APT29 acquired C2 domains, sometimes through resellers.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1087 | Account Discovery | During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using `Get-ManagementRoleAssignment`.CitationVolexity SolarWinds |
| Enterprise | T1078 | Valid Accounts | During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally.CitationFireEye SUNBURST Backdoor December 2020CitationMSTIC NOBELIUM Mar 2021CitationCybersecurity Advisory SVR TTP May 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
S0588: GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[1][2][3]
S0560: TEARDROP
TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[1][2]
S0589: Sibot
Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[1]
S0597: GoldFinder
GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[1]
S0002: Mimikatz
S0682: TrailBlazer
TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[1]
S0562: SUNSPOT
S0552: AdFind
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0559: SUNBURST
S0565: Raindrop
Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 115ca3821a9a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike StellarParticle January 2022
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
Open source URL -
[2]
SolarWinds Advisory Dec 2020
SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.
Open source URL -
[3]
SolarWinds Sunburst Sunspot Update January 2021
Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.
Open source URL -
[4]
FireEye SUNBURST Backdoor December 2020
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
Open source URL -
[5]
Volexity SolarWinds
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
Open source URL -
[6]
Unit 42 SolarStorm December 2020
Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.
Open source URL -
[7]
Microsoft Analyzing Solorigate Dec 2020
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
Open source URL -
[8]
Microsoft Internal Solorigate Investigation Blog
MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021.
Open source URL -
[9]
NSA Joint Advisory SVR SolarWinds April 2021
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
Open source URL -
[10]
UK NSCS Russia SolarWinds April 2021
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
Open source URL -
[11]
Mandiant UNC2452 APT29 April 2022
Mandiant. (2022, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.
Open source URL -
[12]
USG Joint Statement SolarWinds January 2021
FBI, CISA, ODNI, NSA. (2022, January 5). Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). Retrieved March 26, 2023.
Open source URL -
[13]
MSTIC NOBELIUM May 2021
Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
Open source URL -
[14]
mitre-attack C0024Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.