By studying the investigation into the SUNBURST attack, this case study demonstrates how cyber analysts can easily and quickly examine and visualize the scale of a malware attack— whether during or after the incident—using Farsight DNSDB passive DNS data and Maltego. It also takes a close look at the attack pattern of SUNBURST and provides insights into the malware’s behavior.

About the SolarWinds SUNBURST Supply Chain Compromise

In December 2020, cyber threat analysis company FireEye discovered a global supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute the malware named SUNBURST. The sophisticated attack affected public and private organizations—18,000 SolarWinds customers, including almost all Fortune 500 companies, government agencies, and government contractors—since as early as Spring 2020 and has resulted in network lateral movement and data theft by adversaries.