Security researchers discover SUPERNOVA web shell activity linked to Chinese hackers
In late 2020, Secureworks CTU researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. CTU analysis indicates that this activity is unrelated to the SUNBURST supply chain attack that trojanized the SolarWinds Orion business software updates. CTU researchers have attributed the SUPERNOVA activity to the SPIRAL espionage group. The threat actor exploited a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148) to execute a reconnaissance script and then write the SUPERNOVA web shell to disk.
Similarities between the SUPERNOVA activity and a previous compromise of the network suggest that SPIRAL was responsible for both intrusions as: