SolarWinds hackers’ killswitch discovered to help stop malware: cybersecurity pros

Cybersecurity professionals say they have found a killswitch to stop malware deployed in the SolarWinds hack that has affected the federal government and large corporations.

FireEye, a cybersecurity firm and SolarWinds customer, said it identified a killswitch in the SUNBURST malware and has worked with Microsoft and GoDaddy to deactivate the malware. By engaging the killswitch, the companies can cause the malware to self-destruct, but it does not eliminate the threat posed by the malware infections entirely.

“This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access victim networks beyond the SUNBURST backdoor,” a FireEye spokesperson said in a statement. “This killswitch will not remove the actor from victim networks where they have established other backdoors.”

FireEye looks to be the first to have discovered the cyberespionage campaign and began notifying victims. The killswitch it has discovered does not end the cyberthreat, but it will make it more difficult for hackers to use the malware they previously deployed.

Microsoft previously announced that it started blocking known malware affecting SolarWinds on Wednesday. Microsoft said its actions would quarantine the infected software, and it recommended that customers isolate infected devices.

While the private cybersecurity professionals have worked to stop the spread of the malware, the federal government is investigating the extent of the damage and is still working to understand what the hackers accomplished.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) said they formed a coordinated effort to respond to the SolarWinds cyber breaches. The FBI said it is investigating the hack and gathering intelligence, and CISA directed federal civilian agencies to shut off SolarWinds products connected to federal networks.

CISA is also coordinating with the private sector, and ODNI is supporting all of the government’s efforts with the resources of the intelligence community.