Multiple security researchers and research teams have published over the weekend lists ranging from 100 to 280 organizations that installed a trojanized version of the SolarWinds Orion platform and had their internal systems infected with the Sunburst malware.

The list includes the names of tech companies, local governments, universities, hospitals, banks, and telecom providers.

The biggest names on this list include the likes of Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense.

MediaTek, one of the world’s largest semiconductor companies, is also believed to have been impacted, although security researchers aren’t 100% sure of its inclusion on their lists just yet.

Cracking the Sunburst subdomain mysteries

Security researchers compiled these lists by reverse-engineering the Sunburst (aka Solorigate) malware.

For ZDNet readers learning of the Sunburst malware for the first time, this malware was injected inside updates for the SolarWinds Orion app released between March and June 2020.

The boobytrapped updates planted the Sunburst malware deep inside the internal networks of many companies and government organizations that relied on the Orion app to monitor and keep inventories of internal IT systems.

According to deep-dive reports published last week by MicrosoftFireEyeMcAfeeSymantecKaspersky, and US Cybersecurity and Infrastructure Security Agency (CISA), on infected systems, the malware would gather information about the victim company’s network, wait 12 to 14 days, and then send the data to a remote command and control server (C&C).

The hackers — believed to be a Russian state-sponsored group — would then analyze the data they received and escalate attacks only on networks that were of interest to their intelligence-gathering goals.

solorigate-attack-chain.png
Image: Microsoft

Last week, SolarWinds admitted to the hack and said that based on internal telemetry, almost 18,000 of its 300,000 customers downloaded versions of the Orion platform that contained the Sunburst malware.

Initially, it was thought that only SolarWinds could identify and notify all the impacted organizations. However, as security researchers kept analyzing Sunburst’s inner workings, they also discovered some quirks in the malware’s operations, namely in how it pinged its C&C server.

According to research published last week, Sunburst would send the data it collected from an infected network to a C&C server URL that was unique per victim.

This unique URL was a subdomain for avsvmcloud[.]com and contained four parts, where the first part was a random-looking string. However, security researchers said that this string wasn’t actually unique but contained the encoded name of the victim’s local network domain.

solorigate-c2.png
Image: Microsoft

Since last week, several security firms and independent researchers have been sifting through historical web traffic and passive DNS data to collect information on traffic going to the avsvmcloud[.]com domain, crack the subdomains and then track down companies that installed a trojanized SolarWinds Orion app — and had the Sunburst malware beaconing from inside their networks back to the attackers’ server (now sinkholed thanks to Microsoft and FireEye).

A growing list of first-stage and second-stage victims

Cybersecurity firms TrueSec and Prevasio, security researcher Dewan Chowdhury, and Chinese security firm QiAnXin are among the several who have now published lists of Sunburst-infected organizations or tools to decode the avsvmcloud[.]com subdomains.

Companies like Cisco and Intel have formally confirmed they got infected in interviews with reporters over the weekend. Both companies have said they found no evidence that the hackers escalated access to deliver second-stage payloads on their systems.

VMWare and Microsoft, whose names were not on these public lists, also confirmed they installed trojanized Orion updates on their internal networks but also specified that they also did not find any evidence of escalation from the attackers.

However, the hackers did escalate their attacks on the networks of some of their targets. In an interview on Friday, FireEye CEO Kevin Mandia, whose company discovered the SolarWinds hack when investigating a breach of its internal systems, said that hackers, despite infecting almost 18,000 networks, only escalated access to around 50 targets, based on FireEye’s visibility.

In a separate report published on Friday, Microsoft also said it identified 40 of its customers that had installed infected Orion apps and where attackers escalated access.

“Escalation” usually happens when the avsvmcloud[.]com C&C server replied to an infected company with a specific DNS response containing a special CNAME field.

This special DNS CNAME field contained the location of a second C&C server from where the Sunburst malware would get additional commands and sometimes download other malware.

Currently, the only publicly known company where hackers escalated access is FireEye, whose breach response helped uncover the entire SolarWinds hack.

Making the difference between the two (a simple Sunburst infection and escalation) is crucial for incident responders. In the first case, they might only need to remove the Sunburst malware, while in the second, they might need to review logs to identify what internal systems hackers escalated access to and what data was stolen from their networks.

Several security researchers have told ZDNet today that a large part of the cybersecurity community is now working with content delivery networks, internet service providers, and other internet companies to collect passive DNS data and hunt down traffic to and from the avsvmcloud[.]com domain in order to identify other victims where attackers escalated access.

Below is a table compiled by security firm Truesec with the decoded internal domain names of some of the SolarWinds victims.

 

Decoded Internal Name Possible Organization
(may be inaccurate)*
Response Address Family Command First Seen
mnh.rg-law.ac.il College of Law and Business,
Israel
NetBios HTTP Backdoor 2020-05-26
ad001.mtk.lo Mediatek NetBios HTTP Backdoor 2020-08-26
Aeria NetBios HTTP Backdoor 2020-06-26
Ameri NetBios HTTP Backdoor 2020-08-02
ank.com Ankcom Communications NetBios HTTP Backdoor 2020-06-06
azlcyy NetBios HTTP Backdoor 2020-08-07
banccentral.com BancCentral Financial
Services Corp.
NetBios HTTP Backdoor 2020-07-03
barrie.ca City of Barrie NetBios HTTP Backdoor 2020-05-13
BCC.l NetBios HTTP Backdoor 2020-08-22
bhq.lan NetBios HTTP Backdoor 2020-08-18
cds.capilanou. Capilano University NetBios HTTP Backdoor 2020-08-27
Centr NetBios HTTP Backdoor 2020-06-24
chc.dom NetBios HTTP Backdoor 2020-08-04
christieclinic. Christie Clinic Telehealth NetBios HTTP Backdoor 2020-04-22
CIMBM NetBios HTTP Backdoor 2020-09-25
CIRCU NetBios HTTP Backdoor 2020-05-30
CONSO NetBios HTTP Backdoor 2020-06-17
corp.ptci.com Pioneer Telephone
Scholarship Recipients
NetBios HTTP Backdoor 2020-06-19
corp.stingraydi Stingray (Media and
entertainment)
NetBios HTTP Backdoor 2020-06-10
corp.stratusnet Stratus Networks NetBios HTTP Backdoor 2020-04-28
cosgroves.local Cosgroves (Building services
consulting)
NetBios HTTP Backdoor 2020-08-25
COTES Cotes (Humidity Management) NetBios HTTP Backdoor 2020-07-25
csnt.princegeor City of Prince George NetBios HTTP Backdoor 2020-09-18
cys.local CYS Group (Marketing analytics) NetBios HTTP Backdoor 2020-07-10
digitalsense.co Digital Sense (Cloud Services) NetBios HTTP Backdoor 2020-06-24
ehtuh- NetBios HTTP Backdoor 2020-05-01
escap.org NetBios HTTP Backdoor 2020-07-10
f.gnam NetBios HTTP Backdoor 2020-04-04
fhc.local NetBios HTTP Backdoor 2020-07-06
fidelitycomm.lo Fidelity Communications (ISP) NetBios HTTP Backdoor 2020-06-02
fisherbartoninc.com The Fisher Barton Group
(Blade Manufacturer)
NetBios HTTP Backdoor 2020-05-15
fmtn.ad City of Farmington NetBios HTTP Backdoor 2020-07-21
FWO.I NetBios HTTP Backdoor 2020-08-05
ggsg-us.cisco Cisco GGSG NetBios HTTP Backdoor 2020-06-24
ghsmain1.ggh.g NetBios HTTP Backdoor 2020-06-09
gxw NetBios HTTP Backdoor 2020-07-07
htwanmgmt.local NetBios HTTP Backdoor 2020-07-22
ieb.go.id NetBios HTTP Backdoor 2020-06-12
int.ncahs.net NetBios HTTP Backdoor 2020-09-23
internal.jtl.c NetBios HTTP Backdoor 2020-05-19
ironform.com Ironform (metal fabrication) NetBios HTTP Backdoor 2020-06-19
isi NetBios HTTP Backdoor 2020-07-06
itps.uk.net Infection Prevention Society (IPS) NetBios HTTP Backdoor 2020-08-11
jxxyx. NetBios HTTP Backdoor 2020-06-26
kcpl.com Kansas City Power and
Light Company
NetBios HTTP Backdoor 2020-07-07
keyano.local Keyano College NetBios HTTP Backdoor 2020-06-03
khi0kl NetBios HTTP Backdoor 2020-08-26
lhc_2f NetBios HTTP Backdoor 2020-04-18
lufkintexas.net Lufkin (City in Texas) NetBios HTTP Backdoor 2020-07-07
magnoliaisd.loc Magnolia Independent
School District
NetBios HTTP Backdoor 2020-06-01
MOC.l NetBios HTTP Backdoor 2020-04-30
moncton.loc City of Moncton NetBios HTTP Backdoor 2020-08-25
mountsinai.hosp Mount Sinai Hospital NetBios HTTP Backdoor 2020-07-02
netdecisions.lo Netdecisions (IT services) NetBios HTTP Backdoor 2020-10-04
newdirections.k NetBios HTTP Backdoor 2020-04-21
nswhealth.net NSW Health NetBios HTTP Backdoor 2020-06-12
nzi_9p NetBios HTTP Backdoor 2020-08-04
city.kingston.on.ca City of Kingston,
Ontario, Canada
NetBios HTTP Backdoor 2020-06-15
dufferincounty.on.ca Dufferin County,
Ontario, Canada
NetBios HTTP Backdoor 2020-07-17
osb.local NetBios HTTP Backdoor 2020-04-28
oslerhc.org William Osler Health System NetBios HTTP Backdoor 2020-07-11
pageaz.gov City of Page NetBios HTTP Backdoor 2020-04-19
pcsco.com Professional Computer Systems NetBios HTTP Backdoor 2020-07-23
pkgix_ NetBios HTTP Backdoor 2020-07-15
pqcorp.com PQ Corporation NetBios HTTP Backdoor 2020-07-02
prod.hamilton. Hamilton Company NetBios HTTP Backdoor 2020-08-19
resprod.com Res Group (Renewable
energy company)
NetBios HTTP Backdoor 2020-05-06
RPM.l NetBios HTTP Backdoor 2020-05-28
sdch.local South Davis
Community Hospital
NetBios HTTP Backdoor 2020-05-18
servitia.intern NetBios HTTP Backdoor 2020-06-16
sfsi.stearnsban Stearns Bank NetBios HTTP Backdoor 2020-08-02
signaturebank.l Signature Bank NetBios HTTP Backdoor 2020-06-25
sm-group.local SM Group (Distribution) NetBios HTTP Backdoor 2020-07-07
te.nz TE Connectivity (Sensor
manufacturer)
NetBios HTTP Backdoor 2020-05-13
thx8xb NetBios HTTP Backdoor 2020-06-16
tx.org NetBios HTTP Backdoor 2020-07-15
usd373.org Newton Public Schools NetBios HTTP Backdoor 2020-08-01
uzq NetBios HTTP Backdoor 2020-10-02
ville.terrebonn Ville de Terrebonne NetBios HTTP Backdoor 2020-08-02
wrbaustralia.ad W. R. Berkley Insurance Australia NetBios HTTP Backdoor 2020-07-11
ykz NetBios HTTP Backdoor 2020-07-11
2iqzth ImpLink Enum processes 2020-06-17
3if.2l 3IF (Industrial Internet) ImpLink Enum processes 2020-08-20
airquality.org Sacramento Metropolitan
Air Quality Management District
ImpLink Enum processes 2020-08-09
ansc.gob.pe GOB  (Digital Platform of
the Peruvian State)
ImpLink Enum processes 2020-07-25
bcofsa.com.ar Banco de Formosa ImpLink Enum processes 2020-07-13
bi.corp ImpLink Enum processes 2020-12-14
bop.com.pk The Bank of Punjab ImpLink Enum processes 2020-09-18
camcity.local ImpLink Enum processes 2020-08-07
cow.local ImpLink Enum processes 2020-06-13
deniz.denizbank DenizBank ImpLink Enum processes 2020-11-14
ies.com IES Communications
(Communications technology)
ImpLink Enum processes 2020-06-11
insead.org INSEAD Business School ImpLink Enum processes 2020-11-07
KS.LO ImpLink Enum processes 2020-07-10
mixonhill.com Mixon Hill (intelligent
transportation systems)
ImpLink Enum processes 2020-04-29
ni.corp.natins ImpLink Enum processes 2020-10-24
phabahamas.org Public Hospitals Authority,
Caribbean
ImpLink Enum processes 2020-11-05
rbe.sk.ca Regina Public Schools ImpLink Enum processes 2020-08-20
spsd.sk.ca Saskatoon Public Schools ImpLink Enum processes 2020-06-12
yorkton.cofy Community Options for
Families & Youth
ImpLink Enum processes 2020-05-08
.sutmf Ipx Update config 2020-06-25

Read more by