https://community.riskiq.com/
Key points:
- Of the SUNBURST features that were operationalized, the most telling was that which identified Antivirus (AV) and Endpoint Detection & Response (EDR) products on the target, products sold by five companies: FireEye, Crowdstrike, Microsoft, ESET, and F-Secure (Kaspersky was identified, but malware did not modify its behavior if identified)
- Key tactical countermeasure that significantly impeded analysis: the threat actor’s strict adherence to pattern avoidance, including registering domains at different times over different years, “aging” domains, keeping the first-stage infrastructure registered in the US to avoid prying by NSA, and second-stage and third-stage in foreign countries.
- The first-stage implant was designed to beacon to its command-and-control servers with random jitter after a two-week period, an effort RiskIQ’s Team Atlas assessed was meant to outlive the typical lifespan of event logging on most host-based EDR products.
- The third-stage malware was designed to look completely different from the second-stage malware, which, in turn, was designed to look nothing like the first-stage malware.
