Researchers shared the lists of victims of SolarWinds hack

Pierluigi Paganini December 22, 2020

Security experts shared lists of organizations that were infected with the SolarWinds Sunburst backdoor after decoding the DGA mechanism.

Security experts started analyzing the DGA mechanism used by threat actors behind the SolarWinds hack to control the Sunburst/Solarigate backdoor and published the list of targeted organizations.

Researchers from multiple cybersecurity firms published a list that contains major companies, including Cisco, Deloitte, Intel, Mediatek, and Nvidia.

The researchers decoded the DGA algorithm used by the backdoor to assign a subdomain of the C2 (avsvmcloud[.]com) for each of the compromised organizations.

“Prevasio would like to thank Zetalytics for providing us with an updated (larger) list of passive (historic) DNS queries for the domains generated by the malware.” reported the analysis published by Prevasio.

Researchers from several security firms, including TrueSec, Prevasio, QiAnXin RedDrip, and Kaspersky shared the results of their analysis.

Prevasio researchers detailed the decoding process, for example considering the following address:

fivu4vjamve5vfrtn2huov[.]appsync-api.us-west-2[.]avsvmcloud[.]com

“The first part of the domain name (before the first dot) consists of a 16-character random string, appended with an encoded computer’s domain name. This is the domain in which the local computer is registered.” state the researchers.

Other major companies, including FireEyeMicrosoft, and VMware also revealed to have been impacted by the SolarWinds supply chain attack.

Truesec researchers speculate that threat actors might have exfiltrated a massive amount of highly confidential information from multiple organizations. It is also highly likely that attackers compromised the software and systems of their victims.

“This list contains the decoded values of internal domain names. We can therefore only assume that they belong to an organization based on the name of the domains and publicly available information,” reads the post published by TrueSec.

“More information will be disclosed during the upcoming months but the full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.”

Decoded Internal NameOrganization
(possibly inaccurate)
Response Address FamilyCommandFirst Seen
mnh.rg-law.ac.ilCollege of Law and Business,
Israel
NetBiosHTTP Backdoor2020-05-26
ad001.mtk.loMediatekNetBiosHTTP Backdoor2020-08-26
Aeria NetBiosHTTP Backdoor2020-06-26
Ameri NetBiosHTTP Backdoor2020-08-02
ank.comAnkcom CommunicationsNetBiosHTTP Backdoor2020-06-06
azlcyy NetBiosHTTP Backdoor2020-08-07
banccentral.comBancCentral Financial
Services Corp.
NetBiosHTTP Backdoor2020-07-03
barrie.caCity of BarrieNetBiosHTTP Backdoor2020-05-13
BCC.l NetBiosHTTP Backdoor2020-08-22
bhq.lan NetBiosHTTP Backdoor2020-08-18
cds.capilanou.Capilano UniversityNetBiosHTTP Backdoor2020-08-27
Centr NetBiosHTTP Backdoor2020-06-24
chc.dom NetBiosHTTP Backdoor2020-08-04
christieclinic.Christie Clinic TelehealthNetBiosHTTP Backdoor2020-04-22
CIMBM NetBiosHTTP Backdoor2020-09-25
CIRCU NetBiosHTTP Backdoor2020-05-30
CONSO NetBiosHTTP Backdoor2020-06-17
corp.ptci.comPioneer Telephone
Scholarship Recipients
NetBiosHTTP Backdoor2020-06-19
corp.stingraydiStingray (Media and
entertainment)
NetBiosHTTP Backdoor2020-06-10
corp.stratusnetStratus NetworksNetBiosHTTP Backdoor2020-04-28
cosgroves.localCosgroves (Building services
consulting)
NetBiosHTTP Backdoor2020-08-25
COTESCotes (Humidity Management)NetBiosHTTP Backdoor2020-07-25
csnt.princegeorCity of Prince GeorgeNetBiosHTTP Backdoor2020-09-18
cys.localCYS Group (Marketing analytics)NetBiosHTTP Backdoor2020-07-10
digitalsense.coDigital Sense (Cloud Services)NetBiosHTTP Backdoor2020-06-24
ehtuh- NetBiosHTTP Backdoor2020-05-01
escap.org NetBiosHTTP Backdoor2020-07-10
f.gnam NetBiosHTTP Backdoor2020-04-04
fhc.local NetBiosHTTP Backdoor2020-07-06
fidelitycomm.loFidelity Communications (ISP)NetBiosHTTP Backdoor2020-06-02
fisherbartoninc.comThe Fisher Barton Group
(Blade Manufacturer)
NetBiosHTTP Backdoor2020-05-15
fmtn.adCity of FarmingtonNetBiosHTTP Backdoor2020-07-21
FWO.I NetBiosHTTP Backdoor2020-08-05
ggsg-us.ciscoCisco GGSGNetBiosHTTP Backdoor2020-06-24
ghsmain1.ggh.g NetBiosHTTP Backdoor2020-06-09
gxw NetBiosHTTP Backdoor2020-07-07
htwanmgmt.local NetBiosHTTP Backdoor2020-07-22
ieb.go.id NetBiosHTTP Backdoor2020-06-12
int.ncahs.net NetBiosHTTP Backdoor2020-09-23
internal.jtl.c NetBiosHTTP Backdoor2020-05-19
ironform.comIronform (metal fabrication)NetBiosHTTP Backdoor2020-06-19
isi NetBiosHTTP Backdoor2020-07-06
itps.uk.netInfection Prevention Society (IPS)NetBiosHTTP Backdoor2020-08-11
jxxyx. NetBiosHTTP Backdoor2020-06-26
kcpl.comKansas City Power and
Light Company
NetBiosHTTP Backdoor2020-07-07
keyano.localKeyano CollegeNetBiosHTTP Backdoor2020-06-03
khi0kl NetBiosHTTP Backdoor2020-08-26
lhc_2f NetBiosHTTP Backdoor2020-04-18
lufkintexas.netLufkin (City in Texas)NetBiosHTTP Backdoor2020-07-07
magnoliaisd.locMagnolia Independent
School District
NetBiosHTTP Backdoor2020-06-01
MOC.l NetBiosHTTP Backdoor2020-04-30
moncton.locCity of MonctonNetBiosHTTP Backdoor2020-08-25
mountsinai.hospMount Sinai HospitalNetBiosHTTP Backdoor2020-07-02
netdecisions.loNetdecisions (IT services)NetBiosHTTP Backdoor2020-10-04
newdirections.k NetBiosHTTP Backdoor2020-04-21
nswhealth.netNSW HealthNetBiosHTTP Backdoor2020-06-12
nzi_9p NetBiosHTTP Backdoor2020-08-04
city.kingston.on.caCity of Kingston,
Ontario, Canada
NetBiosHTTP Backdoor2020-06-15
dufferincounty.on.caDufferin County,
Ontario, Canada
NetBiosHTTP Backdoor2020-07-17
osb.local NetBiosHTTP Backdoor2020-04-28
oslerhc.orgWilliam Osler Health SystemNetBiosHTTP Backdoor2020-07-11
pageaz.govCity of PageNetBiosHTTP Backdoor2020-04-19
pcsco.comProfessional Computer SystemsNetBiosHTTP Backdoor2020-07-23
pkgix_ NetBiosHTTP Backdoor2020-07-15
pqcorp.comPQ CorporationNetBiosHTTP Backdoor2020-07-02
prod.hamilton.Hamilton CompanyNetBiosHTTP Backdoor2020-08-19
resprod.comRes Group (Renewable
energy company)
NetBiosHTTP Backdoor2020-05-06
RPM.l NetBiosHTTP Backdoor2020-05-28
sdch.localSouth Davis
Community Hospital
NetBiosHTTP Backdoor2020-05-18
servitia.intern NetBiosHTTP Backdoor2020-06-16
sfsi.stearnsbanStearns BankNetBiosHTTP Backdoor2020-08-02
signaturebank.lSignature BankNetBiosHTTP Backdoor2020-06-25
sm-group.localSM Group (Distribution)NetBiosHTTP Backdoor2020-07-07
te.nzTE Connectivity (Sensor
manufacturer)
NetBiosHTTP Backdoor2020-05-13
thx8xb NetBiosHTTP Backdoor2020-06-16
tx.org NetBiosHTTP Backdoor2020-07-15
usd373.orgNewton Public SchoolsNetBiosHTTP Backdoor2020-08-01
uzq NetBiosHTTP Backdoor2020-10-02
ville.terrebonnVille de TerrebonneNetBiosHTTP Backdoor2020-08-02
wrbaustralia.adW. R. Berkley Insurance AustraliaNetBiosHTTP Backdoor2020-07-11
ykz NetBiosHTTP Backdoor2020-07-11
2iqzth ImpLinkEnum processes2020-06-17
3if.2l3IF (Industrial Internet)ImpLinkEnum processes2020-08-20
airquality.orgSacramento Metropolitan
Air Quality Management District
ImpLinkEnum processes2020-08-09
ansc.gob.peGOB (Digital Platform of
the Peruvian State)
ImpLinkEnum processes2020-07-25
bcofsa.com.arBanco de FormosaImpLinkEnum processes2020-07-13
bi.corp ImpLinkEnum processes2020-12-14
bop.com.pkThe Bank of PunjabImpLinkEnum processes2020-09-18
camcity.local ImpLinkEnum processes2020-08-07
cow.local ImpLinkEnum processes2020-06-13
deniz.denizbankDenizBankImpLinkEnum processes2020-11-14
ies.comIES Communications
(Communications technology)
ImpLinkEnum processes2020-06-11
insead.orgINSEAD Business SchoolImpLinkEnum processes2020-11-07
KS.LO ImpLinkEnum processes2020-07-10
mixonhill.comMixon Hill (intelligent
transportation systems)
ImpLinkEnum processes2020-04-29
ni.corp.natins ImpLinkEnum processes2020-10-24
phabahamas.orgPublic Hospitals Authority,
Caribbean
ImpLinkEnum processes2020-11-05
rbe.sk.caRegina Public SchoolsImpLinkEnum processes2020-08-20
spsd.sk.caSaskatoon Public SchoolsImpLinkEnum processes2020-06-12
yorkton.cofyCommunity Options for
Families & Youth
ImpLinkEnum processes2020-05-08
.sutmf IpxUpdate config2020-06-25
atg.local No MatchUnknown2020-05-11
bisco.intBisco International
(Adhesives and tapes)
No MatchUnknown2020-04-30
ccscurriculum.c No MatchUnknown2020-04-18
e-idsolutions.IDSolutions (video conferencing)No MatchUnknown2020-07-16
ETC1. No MatchUnknown2020-08-01
gk5 No MatchUnknown2020-07-09
grupobazar.loca No MatchUnknown2020-06-07
internal.hws.o No MatchUnknown2020-05-23
n2k No MatchUnknown2020-07-12
publiser.it No MatchUnknown2020-07-05
us.deloitte.coDeloitteNo MatchUnknown2020-07-08
ush.com No MatchUnknown2020-06-15
xijtt- No MatchUnknown2020-07-21
xnet.kzX NET (IT provider in Kazakhstan)No MatchUnknown2020-06-09
zu0 No MatchUnknown2020-08-13
staff.technion.ac.il N/AN/AN/A
digitalreachinc.com N/AN/AN/A
orient-express.com N/AN/AN/A
tr.technion.ac.il N/AN/AN/A
lasers.state.la.us N/AN/AN/A
ABLE. N/AN/AN/A
abmuh_ N/AN/AN/A
acmedctr.ad N/AN/AN/A
ad.azarthritis.com N/AN/AN/A
ad.library.ucla.edu N/AN/AN/A
ad.optimizely. N/AN/AN/A
admin.callidusc N/AN/AN/A
aerioncorp.com N/AN/AN/A
agloan.ads N/AN/AN/A
ah.org N/AN/AN/A
AHCCC N/AN/AN/A
allegronet.co. N/AN/AN/A
alm.brand.dk N/AN/AN/A
amalfi.local N/AN/AN/A
americas.phoeni N/AN/AN/A
amr.corp.intel N/AN/AN/A
apu.mn N/AN/AN/A
ARYZT N/AN/AN/A
b9f9hq N/AN/AN/A
BE.AJ N/AN/AN/A
belkin.com N/AN/AN/A
bk.local N/AN/AN/A
bmrn.com N/AN/AN/A
bok.com N/AN/AN/A
btb.az N/AN/AN/A
c4e-internal.c N/AN/AN/A
calsb.org N/AN/AN/A
casino.prv N/AN/AN/A
cda.corp N/AN/AN/A
central.pima.g N/AN/AN/A
cfsi.local N/AN/AN/A
ch.local N/AN/AN/A
ci.dublin.ca. N/AN/AN/A
cisco.com N/AN/AN/A
corp.dvd.com N/AN/AN/A
corp.sana.com N/AN/AN/A
Count N/AN/AN/A
COWI. N/AN/AN/A
coxnet.cox.com N/AN/AN/A
CRIHB N/AN/AN/A
cs.haystax.loc N/AN/AN/A
csa.local N/AN/AN/A
csci-va.com N/AN/AN/A
csqsxh N/AN/AN/A
DCCAT N/AN/AN/A
deltads.ent N/AN/AN/A
detmir-group.r N/AN/AN/A
dhhs- N/AN/AN/A
dmv.state.nv. N/AN/AN/A
dotcomm.org N/AN/AN/A
DPCIT N/AN/AN/A
dskb2x N/AN/AN/A
e9.2pz N/AN/AN/A
ebe.co.roanoke.va.us N/AN/AN/A
ecobank.group N/AN/AN/A
ecocorp.local N/AN/AN/A
epl.com N/AN/AN/A
fremont.lamrc. N/AN/AN/A
FSAR. N/AN/AN/A
ftfcu.corp N/AN/AN/A
gksm.local N/AN/AN/A
gloucesterva.ne N/AN/AN/A
glu.com N/AN/AN/A
gnb.local N/AN/AN/A
gncu.local N/AN/AN/A
gsf.cc N/AN/AN/A
gyldendal.local N/AN/AN/A
helixwater.org N/AN/AN/A
hgvc.com N/AN/AN/A
ia.com N/AN/AN/A
inf.dc.net N/AN/AN/A
ingo.kg N/AN/AN/A
innout.corp N/AN/AN/A
int.lukoil-international.uz N/AN/AN/A
intensive.int N/AN/AN/A
ions.com N/AN/AN/A
its.iastate.ed N/AN/AN/A
jarvis.lab N/AN/AN/A
-jlowd N/AN/AN/A
jn05n8 N/AN/AN/A
jxb3eh N/AN/AN/A
k.com N/AN/AN/A
LABEL N/AN/AN/A
milledgeville.l N/AN/AN/A
nacr.com N/AN/AN/A
ncpa.loc N/AN/AN/A
neophotonics.co N/AN/AN/A
net.vestfor.dk N/AN/AN/A
nih.if N/AN/AN/A
nvidia.com N/AN/AN/A
on-pot N/AN/AN/A
ou0yoy N/AN/AN/A
paloverde.local N/AN/AN/A
pl8uw0 N/AN/AN/A
q9owtt N/AN/AN/A
rai.com N/AN/AN/A
rccf.ru N/AN/AN/A
repsrv.com N/AN/AN/A
ripta.com N/AN/AN/A
roymerlin.com N/AN/AN/A
rs.local N/AN/AN/A
rst.atlantis-pak.ru N/AN/AN/A
sbywx3 N/AN/AN/A
sc.pima.gov N/AN/AN/A
scif.com N/AN/AN/A
SCMRI N/AN/AN/A
scroot.com N/AN/AN/A
seattle.interna N/AN/AN/A
securview.local N/AN/AN/A
SFBAL N/AN/AN/A
SF-Li N/AN/AN/A
siskiyous.edu N/AN/AN/A
sjhsagov.org N/AN/AN/A
Smart N/AN/AN/A
smes.org N/AN/AN/A
sos-ad.state.nv.us N/AN/AN/A
sro.vestfor.dk N/AN/AN/A
superior.local N/AN/AN/A
swd.local N/AN/AN/A
ta.org N/AN/AN/A
taylorfarms.com N/AN/AN/A
thajxq N/AN/AN/A
thoughtspot.int N/AN/AN/A
tsyahr N/AN/AN/A
tv2.local N/AN/AN/A
uis.kent.edu N/AN/AN/A
uncity.dk N/AN/AN/A
uont.com N/AN/AN/A
viam-invenient N/AN/AN/A
vms.ad.varian.com N/AN/AN/A
vsp.com N/AN/AN/A
WASHO N/AN/AN/A
weioffice.com N/AN/AN/A
wfhf1.hewlett. N/AN/AN/A
woodruff-sawyer N/AN/AN/A
HQ.RE-wwgi2xnl N/AN/AN/A
xdxinc.net N/AN/AN/A
y9k.in N/AN/AN/A
zeb.i8 N/AN/AN/A
zippertubing.co N/AN/AN/A

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Solarwinds)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment