Supply Chain Compromise Investigation

When You See This

1. 1

   A legitimate, signed application makes network connections to unknown or suspicious external hosts

2. 2

   Trusted software spawns unexpected child processes (e.g., 3CXDesktopApp.exe spawning ffmpeg.exe loading malicious DLLs)

3. 3

   Endpoint detection alerts on trusted application behavior that does not match its known profile

4. 4

   Threat intelligence advisory identifies a compromised version of software you use

5. 5

   Legitimate update process delivers a binary with a hash that does not match the vendor published hash

Investigation Steps

1. 1

   Verify the threat intelligence

   Confirm the supply chain compromise report from multiple reliable sources (vendor advisory, CISA, security researchers). Determine exactly which software versions are affected. In the 3CX case, versions 18.12.407 and 18.12.416 were compromised. In SolarWinds, Orion versions 2019.4 HF5 through 2020.2.1 contained SUNBURST.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint process_name="affected_software.exe" | stats dc(dest_host) as installed_count, values(file_hash) as hashes, values(file_version) as versions by process_name | table process_name, installed_count, versions, hashes

2. 2

   Determine scope of exposure

   Identify every host running the compromised software version. This is the blast radius. In the SolarWinds attack, approximately 18,000 organizations installed the trojanized update, though only about 100 were actively exploited. The distinction matters; having the compromised software does not necessarily mean active exploitation.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint (file_hash="compromised_hash_1" OR file_hash="compromised_hash_2") | stats count by dest_host, file_path, file_version | sort -count

   Decision Point

   If: The compromised software is installed on critical systems (domain controllers, financial systems, executive workstations)

   Yes → Prioritize investigation of these systems. Check for C2 activation indicators specific to the supply chain malware.

   No → Still investigate all instances, but critical systems take priority for isolation decisions.

3. 3

   Check for C2 activation

   Most supply chain backdoors have an activation phase; they do not immediately beacon. SUNBURST waited 12-14 days before activating. Check network logs from hosts running the compromised software for connections to known C2 indicators. The absence of C2 traffic may mean the backdoor was installed but not activated.

   FirewallSIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=firewall src_ip IN (hosts_with_compromised_software) | stats count, sum(bytes_out) as total_out by dest_ip, dest_domain | where dest_domain IN ("known_c2_indicators") OR count > 100

   index=dns src_ip IN (hosts_with_compromised_software) query IN ("known_c2_domains") | stats count by src_ip, query

4. 4

   Investigate hosts with C2 activity

   For any host showing C2 communication, conduct a full endpoint investigation. Check for additional tools deployed by the attacker, credential harvesting, lateral movement, and data access. In the SolarWinds attack, APT29 deployed additional backdoors (TEARDROP, RAINDROP) after SUNBURST activation to maintain persistent access even if SUNBURST was removed.

   XDRSIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint dest_host="c2_active_host" | stats count by process_name, parent_process_name, process_hash | where process_hash NOT IN (known_good_hashes) | sort -count

5. 5

   Contain, remediate, and rebuild trust

   For hosts with confirmed C2 activation: isolate and treat as compromised. For hosts with the compromised software but no C2 activity: update to a clean version immediately. Block all known C2 indicators. Rebuild any host that showed C2 activity from known-good images. Coordinate with the software vendor for remediation guidance. Review your software supply chain security processes.

   XDRFirewall

Common Mistakes

1. 1

   Assuming the compromised software can simply be updated; if the attacker was active, they likely deployed persistence mechanisms that survive software updates

2. 2

   Not distinguishing between having the compromised software installed and having the backdoor actively exploited; these require different responses

3. 3

   Removing the compromised software without first collecting forensic evidence for the investigation

4. 4

   Focusing only on the named IOCs without hunting for secondary implants the attacker may have deployed

Escalation Criteria

• Any host showing C2 activation from the supply chain backdoor

• The compromised software is installed on domain controllers or identity infrastructure

• Evidence of lateral movement or additional tools deployed after supply chain compromise

Frequently Asked Questions

How did the SolarWinds attack work?

Attackers (APT29/Cozy Bear) compromised the SolarWinds Orion build process, inserting the SUNBURST backdoor into legitimate software updates. Approximately 18,000 organizations installed the trojanized update. SUNBURST waited 12-14 days before activating, then communicated via DNS to its C2. About 100 organizations were actively exploited, including US Treasury, Commerce, and Homeland Security departments.

What was the 3CX supply chain attack?

In March 2023, the 3CX desktop VoIP application (used by 600,000+ companies) was compromised, and the root cause was itself a prior supply chain attack on Trading Technologies software. The weaponized 3CX app loaded a malicious DLL that contacted GitHub to download encrypted C2 addresses. It demonstrated supply chain attacks can be chained, with one compromised vendor leading to another.

How do I practice supply chain investigations?

SOCSimulator includes multi-stage scenarios inspired by real supply chain attacks. Practice identifying trojanized software behavior, scoping blast radius, and coordinating containment across many hosts. Start free forever.