The two previous malware that was discovered was Sunburst (Solorigate) and Teardrop. The new malware is called Sunspot.
According to CrowdStrike researchers, Sunspot was the first malware used by cyber criminals to carry it out attack.
Sunspot malware was "running" on SolarWinds build server
According to researchers, Sunspot malware installed on SolarWinds build server. The sole purpose of the malware was to monitor the build server for build commands related to Orion, one of the top products of SolarWinds used by more than 33.000 customers (worldwide).
By detecting a build command, the malware silently replaced source code files in the Orion app with files loading Sunburst malware. This resulted in creating versions of the Orion app that also installed the Sunburst malware.
These trojanized Orion clients have reached the official updates of SolarWinds servers and were installed in the networks of many of the company's customers.
Soon after, Sunburst was activated in the internal networks of SolarWinds companies and government customer services, and gathered data which he sent back to the hackers (the Symantec provides information on how to send data via DNS request).
The attackers then decided if one victim was important enough to be violated and they used the most powerful Teardrop trojan. At the same time, Sunburst was ordered to be deleted from non-significant or high-risk networks.
However, the revelation about the third malware involved in the SolarWinds attack is not the only one that came to light in the last few hours.
In an announcement on its blog, SolarWinds posted one schedule of the invasion. The company said that before the development of Sunburst software between March and June 2020, The hackers had done some testing between September and November 2019.
"The October 2019 version of the Orion Platform contained modifications designed to test perpetrators' ability to enter code into our systemsSaid SohaWinds CEO Sudhakar Ramakrishna.
Kaspersky pointed out that it just found some similarities in the code and that this does not necessarily mean that the same team is behind the SolarWinds attack.
The companies security suggest that such statements not be made yet, as the investigation is at an early stage.
At present, the attackers are being monitored under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity) and StellarParticle (CrowdStrike), but the name is expected to change as soon as Companies learn more.