Kaspersky researchers: every fifth victim of Sunburst was from manufacturing industry

Published: Tuesday, 02 February 2021 09:22

The Sunburst backdoor attack, which was publicly announced on December 13th, 2020, is still keeping researchers on edge as they untangle the true scale and the interests of the actor behind this supply chain attack. While the official confirmed number of affected users amounts to 18,000, there is limited information about what kind of organizations used the backdoored SolarWinds versions and fell victim to the attack. To answer this question, Kaspersky ICS CERT researchers assessed internal and publicly available information and defined which industries have been affected the most.

Through analysis of all available decoded internal domain names obtained from DNS names generated by the SunBurst DomainName Generation Algorithm, the researchers were able to compile a list of nearly 2000 readable and attributable domains. From these, the overall percentage of industrial organizations among all organizations on the list is estimated at 32.4 percent with manufacturing having been hit the most (18.11 percent of all victims), followed by utilities (3.24 percent) and construction (3.03 percent). Transportation and logistics (2.97 percent), as well as oil & gas (1.35 percent) industries concluded the list of top-5 industries affected. This data correlates with Kaspersky’s analysis of its affected customers and the industries they belong to.

The geographical distribution of the industrial organizations is broad and includes the following countries and territories: Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan, Uganda, and the USA.

“The SolarWinds software is highly integrated into many systems around the globe in different industries and, as a result, the scale of the Sunburst attack is unparalleled – a lot of organizations that had been affected might have not been of interest to the attackers initially. While we do not have evidence of a second-stage attack among  these victims, we should not rule out the possibility that it may come in the future. Therefore, it is crucial for organizations that may be victims of the attack to rule out the infection and make sure they have the right incident response procedures in place,” comments Maria Garnaeva, senior security researcher at Kaspersky.

Read the full report on this research here.