Data File of Entities Signaling to SolarWinds SUNBURST  C2 Infrastructure

It is well understood that SUNBURST encodes part of the victim's internal hostname as part of the subdomain used in communication with the command and control (C2) infrastructure. These decoded subdomains can be helpful in revealing SUNBURST victims. 

Using passive DNS monitoring, RiskRecon collected 139,514 unique subdomains that were part of the primary SUNBURST C2 domain avsvmcloud[.]com. RiskRecon decoded these subdomains using the algorithm first published by the cybersecurity firm RedDrip Team separating the strings into sensical and nonsensical results. For each sensical decode (has the appearance of a hostname or of an entity name), RiskRecon attempted to attribute the subdomain to an entity using a variety of analysis techniques such as whois record, google search, and web page analysis.

RiskRecon recorded the entities discovered to have been signaling to the SUNBURST C2  infrastructure in a data file, along with other attributes such as the decoded subdomain string, the attribution indicators, and entity geography. RiskRecon is making this file available to any risk professional to use for the benefit of their employer in understanding and acting on their SUNBURST risk exposure.

To obtain a copy of the RiskRecon file simply fill out the form on this web page. Your request will be promptly reviewed.

Please read this blog post for a full breakdown of our analysis including the data sources and methodology. 

Submit your request