FireEye, Microsoft find ‘killswitch’ to hamper SolarWinds-related malware

The action highlights the power that tech companies have to throw up road blocks to well-resourced hackers.
FireEye, Black Hat 2019, cybersecurity
FireEye at the 2019 Black Hat conference in Las Vegas. (Greg Otto / CyberScoop)

As the U.S. government works to contain a sprawling hacking campaign that relies on software in technology from SolarWinds, a federal contractor, technology firms are disabling some of the hackers’ key infrastructure.

Cybersecurity giant FireEye on Wednesday said that it had worked with Microsoft and the domain registrar GoDaddy to take over one of the domains that attackers had used to send malicious code to victim machines. The move is no panacea for stopping the suspected state-sponsored hacking campaign, though it could help stem the tide of victims, which reportedly includes the departments of Treasury and Homeland Security.

The seized domain, known as a “killswitch,” will “affect new and previous” infections of the malicious code coming from that particular domain, FireEye said in a statement that was first reported by independent journalist Brian Krebs. “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.”

The killswitch will make it harder for the attackers to use the malware, known as SUNBURST, that they have already deployed. FireEye warned, though, that hackers still have other means of retaining access to networks. “[I]n the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.”


The FBI is investigating the compromise of SolarWinds’ software updates, which the Washington Post has linked with a Russian intelligence service. SolarWinds’ software is used throughout Fortune 500 companies, and in critical sectors such as electricity. The network monitoring vendor said in a Securities and Exchange Commission filing on Monday that the number of public and private customers with its vulnerable software installed was “fewer than 18,000,” without specifying the number.

Alex Stamos, Facebook’s former security chief, pointed out the hard work ahead for many security teams in corporate and government environments.

The killswitch action highlights the power that major technology companies have to throw up road blocks to well-resourced hackers, and follows Microsoft and other firms’ attempt to disrupt a powerful botnet in October. Perhaps the most famous use of a killswitch during a malicious cyber campaign came during the 2017 WannaCry ransomware outbreak, when security researcher Marcus Hutchins registered a web domain found in the ransomware’s code, helping stop the spread of the global computer virus.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts