Updates to the Story
The evolving massive intrusion upon public and private networks in the US that was perpetrated in 2020 from March to December new has a name - Sunburst. I think it's an apt name, given the vector by which it graced our presences. I am uncertain who picks the names for these things. I'd like to think the honor goes to the discoverer, dubious or not (looking at you, FireEye).
I've been following the story a little bit, and have seen quite a bit of expert technical analysis on the malware. The media is both underreporting what is going on, and getting it wrong on the Russia attribution. In fact, something to the effect of "this doesn't look like Russia's MO" may or may not have been in an article I read or on a slide that I saw. The truth of the matter is that given the sophistication the actor used in gaining access that the same care will likely have been taken to hide who is behind it. Perhaps they'd go as far as to implicate another entity as well.
Who was hit?
We'll start with the list of Government agencies.
- U.S. Department of the Treasury
- U.S. National Telecommunications and Information Administration (NTIA)
- U.S. Department of State
- The National Institutes of Health (NIH) (Part of the U.S. Department of Health)
- U.S. Department of Homeland Security (DHS)
- U.S. Department of Energy (DOE)
- U.S. National Nuclear Security Administration (NNSA)
- Some US states (Specific states are undisclosed)
If I hade to paint the US Government targets with a broad brush, I'd categorize them as economic, infrastructure, health, security and nuclear.
And here is the list of domains decoded.
| Decoded Internal Name | Organization (possibly inaccurate) | Response Address Family | Command | First Seen |
|---|---|---|---|---|
| mnh.rg-law.ac.il | College of Law and Business, Israel | NetBios | HTTP Backdoor | 2020-05-26 |
| ad001.mtk.lo | Mediatek | NetBios | HTTP Backdoor | 2020-08-26 |
| Aeria | NetBios | HTTP Backdoor | 2020-06-26 | |
| Ameri | NetBios | HTTP Backdoor | 2020-08-02 | |
| ank.com | Ankcom Communications | NetBios | HTTP Backdoor | 2020-06-06 |
| azlcyy | NetBios | HTTP Backdoor | 2020-08-07 | |
| banccentral.com | BancCentral Financial Services Corp. | NetBios | HTTP Backdoor | 2020-07-03 |
| barrie.ca | City of Barrie | NetBios | HTTP Backdoor | 2020-05-13 |
| BCC.l | NetBios | HTTP Backdoor | 2020-08-22 | |
| bhq.lan | NetBios | HTTP Backdoor | 2020-08-18 | |
| cds.capilanou. | Capilano University | NetBios | HTTP Backdoor | 2020-08-27 |
| Centr | NetBios | HTTP Backdoor | 2020-06-24 | |
| chc.dom | NetBios | HTTP Backdoor | 2020-08-04 | |
| christieclinic. | Christie Clinic Telehealth | NetBios | HTTP Backdoor | 2020-04-22 |
| CIMBM | NetBios | HTTP Backdoor | 2020-09-25 | |
| CIRCU | NetBios | HTTP Backdoor | 2020-05-30 | |
| CONSO | NetBios | HTTP Backdoor | 2020-06-17 | |
| corp.ptci.com | Pioneer Telephone Scholarship Recipients | NetBios | HTTP Backdoor | 2020-06-19 |
| corp.stingraydi | Stingray (Media and entertainment) | NetBios | HTTP Backdoor | 2020-06-10 |
| corp.stratusnet | Stratus Networks | NetBios | HTTP Backdoor | 2020-04-28 |
| cosgroves.local | Cosgroves (Building services consulting) | NetBios | HTTP Backdoor | 2020-08-25 |
| COTES | Cotes (Humidity Management) | NetBios | HTTP Backdoor | 2020-07-25 |
| csnt.princegeor | City of Prince George | NetBios | HTTP Backdoor | 2020-09-18 |
| cys.local | CYS Group (Marketing analytics) | NetBios | HTTP Backdoor | 2020-07-10 |
| digitalsense.co | Digital Sense (Cloud Services) | NetBios | HTTP Backdoor | 2020-06-24 |
| ehtuh- | NetBios | HTTP Backdoor | 2020-05-01 | |
| escap.org | NetBios | HTTP Backdoor | 2020-07-10 | |
| f.gnam | NetBios | HTTP Backdoor | 2020-04-04 | |
| fhc.local | NetBios | HTTP Backdoor | 2020-07-06 | |
| fidelitycomm.lo | Fidelity Communications (ISP) | NetBios | HTTP Backdoor | 2020-06-02 |
| fisherbartoninc.com | The Fisher Barton Group (Blade Manufacturer) | NetBios | HTTP Backdoor | 2020-05-15 |
| fmtn.ad | City of Farmington | NetBios | HTTP Backdoor | 2020-07-21 |
| FWO.I | NetBios | HTTP Backdoor | 2020-08-05 | |
| ggsg-us.cisco | Cisco GGSG | NetBios | HTTP Backdoor | 2020-06-24 |
| ghsmain1.ggh.g | NetBios | HTTP Backdoor | 2020-06-09 | |
| gxw | NetBios | HTTP Backdoor | 2020-07-07 | |
| htwanmgmt.local | NetBios | HTTP Backdoor | 2020-07-22 | |
| ieb.go.id | NetBios | HTTP Backdoor | 2020-06-12 | |
| int.ncahs.net | NetBios | HTTP Backdoor | 2020-09-23 | |
| internal.jtl.c | NetBios | HTTP Backdoor | 2020-05-19 | |
| ironform.com | Ironform (metal fabrication) | NetBios | HTTP Backdoor | 2020-06-19 |
| isi | NetBios | HTTP Backdoor | 2020-07-06 | |
| itps.uk.net | Infection Prevention Society (IPS) | NetBios | HTTP Backdoor | 2020-08-11 |
| jxxyx. | NetBios | HTTP Backdoor | 2020-06-26 | |
| kcpl.com | Kansas City Power and Light Company | NetBios | HTTP Backdoor | 2020-07-07 |
| keyano.local | Keyano College | NetBios | HTTP Backdoor | 2020-06-03 |
| khi0kl | NetBios | HTTP Backdoor | 2020-08-26 | |
| lhc_2f | NetBios | HTTP Backdoor | 2020-04-18 | |
| lufkintexas.net | Lufkin (City in Texas) | NetBios | HTTP Backdoor | 2020-07-07 |
| magnoliaisd.loc | Magnolia Independent School District | NetBios | HTTP Backdoor | 2020-06-01 |
| MOC.l | NetBios | HTTP Backdoor | 2020-04-30 | |
| moncton.loc | City of Moncton | NetBios | HTTP Backdoor | 2020-08-25 |
| mountsinai.hosp | Mount Sinai Hospital | NetBios | HTTP Backdoor | 2020-07-02 |
| netdecisions.lo | Netdecisions (IT services) | NetBios | HTTP Backdoor | 2020-10-04 |
| newdirections.k | NetBios | HTTP Backdoor | 2020-04-21 | |
| nswhealth.net | NSW Health | NetBios | HTTP Backdoor | 2020-06-12 |
| nzi_9p | NetBios | HTTP Backdoor | 2020-08-04 | |
| city.kingston.on.ca | City of Kingston, Ontario, Canada | NetBios | HTTP Backdoor | 2020-06-15 |
| dufferincounty.on.ca | Dufferin County, Ontario, Canada | NetBios | HTTP Backdoor | 2020-07-17 |
| osb.local | NetBios | HTTP Backdoor | 2020-04-28 | |
| oslerhc.org | William Osler Health System | NetBios | HTTP Backdoor | 2020-07-11 |
| pageaz.gov | City of Page | NetBios | HTTP Backdoor | 2020-04-19 |
| pcsco.com | Professional Computer Systems | NetBios | HTTP Backdoor | 2020-07-23 |
| pkgix_ | NetBios | HTTP Backdoor | 2020-07-15 | |
| pqcorp.com | PQ Corporation | NetBios | HTTP Backdoor | 2020-07-02 |
| prod.hamilton. | Hamilton Company | NetBios | HTTP Backdoor | 2020-08-19 |
| resprod.com | Res Group (Renewable energy company) | NetBios | HTTP Backdoor | 2020-05-06 |
| RPM.l | NetBios | HTTP Backdoor | 2020-05-28 | |
| sdch.local | South Davis Community Hospital | NetBios | HTTP Backdoor | 2020-05-18 |
| servitia.intern | NetBios | HTTP Backdoor | 2020-06-16 | |
| sfsi.stearnsban | Stearns Bank | NetBios | HTTP Backdoor | 2020-08-02 |
| signaturebank.l | Signature Bank | NetBios | HTTP Backdoor | 2020-06-25 |
| sm-group.local | SM Group (Distribution) | NetBios | HTTP Backdoor | 2020-07-07 |
| te.nz | TE Connectivity (Sensor manufacturer) | NetBios | HTTP Backdoor | 2020-05-13 |
| thx8xb | NetBios | HTTP Backdoor | 2020-06-16 | |
| tx.org | NetBios | HTTP Backdoor | 2020-07-15 | |
| usd373.org | Newton Public Schools | NetBios | HTTP Backdoor | 2020-08-01 |
| uzq | NetBios | HTTP Backdoor | 2020-10-02 | |
| ville.terrebonn | Ville de Terrebonne | NetBios | HTTP Backdoor | 2020-08-02 |
| wrbaustralia.ad | W. R. Berkley Insurance Australia | NetBios | HTTP Backdoor | 2020-07-11 |
| ykz | NetBios | HTTP Backdoor | 2020-07-11 | |
| 2iqzth | ImpLink | Enum processes | 2020-06-17 | |
| 3if.2l | 3IF (Industrial Internet) | ImpLink | Enum processes | 2020-08-20 |
| airquality.org | Sacramento Metropolitan Air Quality Management District | ImpLink | Enum processes | 2020-08-09 |
| ansc.gob.pe | GOB (Digital Platform of the Peruvian State) | ImpLink | Enum processes | 2020-07-25 |
| bcofsa.com.ar | Banco de Formosa | ImpLink | Enum processes | 2020-07-13 |
| bi.corp | ImpLink | Enum processes | 2020-12-14 | |
| bop.com.pk | The Bank of Punjab | ImpLink | Enum processes | 2020-09-18 |
| camcity.local | ImpLink | Enum processes | 2020-08-07 | |
| cow.local | ImpLink | Enum processes | 2020-06-13 | |
| deniz.denizbank | DenizBank | ImpLink | Enum processes | 2020-11-14 |
| ies.com | IES Communications (Communications technology) | ImpLink | Enum processes | 2020-06-11 |
| insead.org | INSEAD Business School | ImpLink | Enum processes | 2020-11-07 |
| KS.LO | ImpLink | Enum processes | 2020-07-10 | |
| mixonhill.com | Mixon Hill (intelligent transportation systems) | ImpLink | Enum processes | 2020-04-29 |
| ni.corp.natins | ImpLink | Enum processes | 2020-10-24 | |
| phabahamas.org | Public Hospitals Authority, Caribbean | ImpLink | Enum processes | 2020-11-05 |
| rbe.sk.ca | Regina Public Schools | ImpLink | Enum processes | 2020-08-20 |
| spsd.sk.ca | Saskatoon Public Schools | ImpLink | Enum processes | 2020-06-12 |
| yorkton.cofy | Community Options for Families & Youth | ImpLink | Enum processes | 2020-05-08 |
| .sutmf | Ipx | Update config | 2020-06-25 | |
| atg.local | No Match | Unknown | 2020-05-11 | |
| bisco.int | Bisco International (Adhesives and tapes) | No Match | Unknown | 2020-04-30 |
| ccscurriculum.c | No Match | Unknown | 2020-04-18 | |
| e-idsolutions. | IDSolutions (video conferencing) | No Match | Unknown | 2020-07-16 |
| ETC1. | No Match | Unknown | 2020-08-01 | |
| gk5 | No Match | Unknown | 2020-07-09 | |
| grupobazar.loca | No Match | Unknown | 2020-06-07 | |
| internal.hws.o | No Match | Unknown | 2020-05-23 | |
| n2k | No Match | Unknown | 2020-07-12 | |
| publiser.it | No Match | Unknown | 2020-07-05 | |
| us.deloitte.co | Deloitte | No Match | Unknown | 2020-07-08 |
| ush.com | No Match | Unknown | 2020-06-15 | |
| xijtt- | No Match | Unknown | 2020-07-21 | |
| xnet.kz | X NET (IT provider in Kazakhstan) | No Match | Unknown | 2020-06-09 |
| zu0 | No Match | Unknown | 2020-08-13 | |
| staff.technion.ac.il | N/A | N/A | N/A | |
| digitalreachinc.com | N/A | N/A | N/A | |
| orient-express.com | N/A | N/A | N/A | |
| tr.technion.ac.il | N/A | N/A | N/A | |
| lasers.state.la.us | N/A | N/A | N/A | |
| ABLE. | N/A | N/A | N/A | |
| abmuh_ | N/A | N/A | N/A | |
| acmedctr.ad | N/A | N/A | N/A | |
| ad.azarthritis.com | N/A | N/A | N/A | |
| ad.library.ucla.edu | N/A | N/A | N/A | |
| ad.optimizely. | N/A | N/A | N/A | |
| admin.callidusc | N/A | N/A | N/A | |
| aerioncorp.com | N/A | N/A | N/A | |
| agloan.ads | N/A | N/A | N/A | |
| ah.org | N/A | N/A | N/A | |
| AHCCC | N/A | N/A | N/A | |
| allegronet.co. | N/A | N/A | N/A | |
| alm.brand.dk | N/A | N/A | N/A | |
| amalfi.local | N/A | N/A | N/A | |
| americas.phoeni | N/A | N/A | N/A | |
| amr.corp.intel | N/A | N/A | N/A | |
| apu.mn | N/A | N/A | N/A | |
| ARYZT | N/A | N/A | N/A | |
| b9f9hq | N/A | N/A | N/A | |
| BE.AJ | N/A | N/A | N/A | |
| belkin.com | N/A | N/A | N/A | |
| bk.local | N/A | N/A | N/A | |
| bmrn.com | N/A | N/A | N/A | |
| bok.com | N/A | N/A | N/A | |
| btb.az | N/A | N/A | N/A | |
| c4e-internal.c | N/A | N/A | N/A | |
| calsb.org | N/A | N/A | N/A | |
| casino.prv | N/A | N/A | N/A | |
| cda.corp | N/A | N/A | N/A | |
| central.pima.g | N/A | N/A | N/A | |
| cfsi.local | N/A | N/A | N/A | |
| ch.local | N/A | N/A | N/A | |
| ci.dublin.ca. | N/A | N/A | N/A | |
| cisco.com | N/A | N/A | N/A | |
| corp.dvd.com | N/A | N/A | N/A | |
| corp.sana.com | N/A | N/A | N/A | |
| Count | N/A | N/A | N/A | |
| COWI. | N/A | N/A | N/A | |
| coxnet.cox.com | N/A | N/A | N/A | |
| CRIHB | N/A | N/A | N/A | |
| cs.haystax.loc | N/A | N/A | N/A | |
| csa.local | N/A | N/A | N/A | |
| csci-va.com | N/A | N/A | N/A | |
| csqsxh | N/A | N/A | N/A | |
| DCCAT | N/A | N/A | N/A | |
| deltads.ent | N/A | N/A | N/A | |
| detmir-group.r | N/A | N/A | N/A | |
| dhhs- | N/A | N/A | N/A | |
| dmv.state.nv. | N/A | N/A | N/A | |
| dotcomm.org | N/A | N/A | N/A | |
| DPCIT | N/A | N/A | N/A | |
| dskb2x | N/A | N/A | N/A | |
| e9.2pz | N/A | N/A | N/A | |
| ebe.co.roanoke.va.us | N/A | N/A | N/A | |
| ecobank.group | N/A | N/A | N/A | |
| ecocorp.local | N/A | N/A | N/A | |
| epl.com | N/A | N/A | N/A | |
| fremont.lamrc. | N/A | N/A | N/A | |
| FSAR. | N/A | N/A | N/A | |
| ftfcu.corp | N/A | N/A | N/A | |
| gksm.local | N/A | N/A | N/A | |
| gloucesterva.ne | N/A | N/A | N/A | |
| glu.com | N/A | N/A | N/A | |
| gnb.local | N/A | N/A | N/A | |
| gncu.local | N/A | N/A | N/A | |
| gsf.cc | N/A | N/A | N/A | |
| gyldendal.local | N/A | N/A | N/A | |
| helixwater.org | N/A | N/A | N/A | |
| hgvc.com | N/A | N/A | N/A | |
| ia.com | N/A | N/A | N/A | |
| inf.dc.net | N/A | N/A | N/A | |
| ingo.kg | N/A | N/A | N/A | |
| innout.corp | N/A | N/A | N/A | |
| int.lukoil-international.uz | N/A | N/A | N/A | |
| intensive.int | N/A | N/A | N/A | |
| ions.com | N/A | N/A | N/A | |
| its.iastate.ed | N/A | N/A | N/A | |
| jarvis.lab | N/A | N/A | N/A | |
| -jlowd | N/A | N/A | N/A | |
| jn05n8 | N/A | N/A | N/A | |
| jxb3eh | N/A | N/A | N/A | |
| k.com | N/A | N/A | N/A | |
| LABEL | N/A | N/A | N/A | |
| milledgeville.l | N/A | N/A | N/A | |
| nacr.com | N/A | N/A | N/A | |
| ncpa.loc | N/A | N/A | N/A | |
| neophotonics.co | N/A | N/A | N/A | |
| net.vestfor.dk | N/A | N/A | N/A | |
| nih.if | N/A | N/A | N/A | |
| nvidia.com | N/A | N/A | N/A | |
| on-pot | N/A | N/A | N/A | |
| ou0yoy | N/A | N/A | N/A | |
| paloverde.local | N/A | N/A | N/A | |
| pl8uw0 | N/A | N/A | N/A | |
| q9owtt | N/A | N/A | N/A | |
| rai.com | N/A | N/A | N/A | |
| rccf.ru | N/A | N/A | N/A | |
| repsrv.com | N/A | N/A | N/A | |
| ripta.com | N/A | N/A | N/A | |
| roymerlin.com | N/A | N/A | N/A | |
| rs.local | N/A | N/A | N/A | |
| rst.atlantis-pak.ru | N/A | N/A | N/A | |
| sbywx3 | N/A | N/A | N/A | |
| sc.pima.gov | N/A | N/A | N/A | |
| scif.com | N/A | N/A | N/A | |
| SCMRI | N/A | N/A | N/A | |
| scroot.com | N/A | N/A | N/A | |
| seattle.interna | N/A | N/A | N/A | |
| securview.local | N/A | N/A | N/A | |
| SFBAL | N/A | N/A | N/A | |
| SF-Li | N/A | N/A | N/A | |
| siskiyous.edu | N/A | N/A | N/A | |
| sjhsagov.org | N/A | N/A | N/A | |
| Smart | N/A | N/A | N/A | |
| smes.org | N/A | N/A | N/A | |
| sos-ad.state.nv.us | N/A | N/A | N/A | |
| sro.vestfor.dk | N/A | N/A | N/A | |
| superior.local | N/A | N/A | N/A | |
| swd.local | N/A | N/A | N/A | |
| ta.org | N/A | N/A | N/A | |
| taylorfarms.com | N/A | N/A | N/A | |
| thajxq | N/A | N/A | N/A | |
| thoughtspot.int | N/A | N/A | N/A | |
| tsyahr | N/A | N/A | N/A | |
| tv2.local | N/A | N/A | N/A | |
| uis.kent.edu | N/A | N/A | N/A | |
| uncity.dk | N/A | N/A | N/A | |
| uont.com | N/A | N/A | N/A | |
| viam-invenient | N/A | N/A | N/A | |
| vms.ad.varian.com | N/A | N/A | N/A | |
| vsp.com | N/A | N/A | N/A | |
| WASHO | N/A | N/A | N/A | |
| weioffice.com | N/A | N/A | N/A | |
| wfhf1.hewlett. | N/A | N/A | N/A | |
| woodruff-sawyer | N/A | N/A | N/A | |
| HQ.RE-wwgi2xnl | N/A | N/A | N/A | |
| xdxinc.net | N/A | N/A | N/A | |
| y9k.in | N/A | N/A | N/A | |
| zeb.i8 | N/A | N/A | N/A | |
| zippertubing.co | N/A | N/A | N/A |
This is still a developing story.
No comments:
Post a Comment