Over the past few years multiple cybercriminals have attempted to sell access to SolarWinds machines on underground forums. One of those individuals was a notorious hacker known as “fxmsp,” who had been offering access to SolarWinds computers in online forums during 2017, Reuters reported.

In July 2020, the US Department of Justice had charged a 37-year-old citizen of Kazakhstan named Andrey Turchin (aka “fxmsp”) with conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud.

According to the indictment, Turchin and his co-conspirators gained access to victims’ networks, established backdoors and then sold the network access on various underground forums like Exploit.in, fuckav.ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t. If convicted on all charges Turchin could face up to 50 years behind bars.

Vinoth Kumar, a security researcher, told Reuters that in 2019 he alerted SolarWinds that anyone could access SolarWinds’ update server by using the password “solarwinds123.” Kumar said he first contacted SolarWinds over the issue on November 19, 2019 and the company fixed the vulnerability three days later.

However, security researchers believe that neither the password nor the stolen access led to a recent SolarWinds security breach, which is thought to affect multiple US government entities and private firms, including the US Treasury Department, the US Department of Commerce's National Telecommunications and Information Administration (NTIA), the Department of Health's National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS), the US Department of State, and the security vendor FireEye.

In a joint effort Microsoft together with industry partners seized and sinkholed a key domain (avsvmcloud[.]com) used in SolarWinds supply-chain attack to deliver trojanized Orion updates containing the Sunburst backdoor to SolarWinds customers.

According to the investigative journalist and cybersecurity expert Brian Krebs, FireEye, Microsoft, and GoDaddy collaborated to create a kill switch for the Sunburst malware. FireEye said that the commandeered domain was reconfigured to act as a “killswitch” that would prevent the malware fr om continuing to operate in some circumstances.

“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections,” the FireEye’s statement reads. “This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks wh ere they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST.”