← Home·Gallery·Techniques
Threat Intelligence Tarot
cups · 12
Russia (SVR-linked)
risk 5/5
The Supply Chain Reader
SilverFish
TEMP.Isotope
SolarWinds victimsUS federal agenciesEuropean governmentEnergy sector
Active since ~2020 · Post-SolarWinds exploitation, Secondary supply chain access, Western government espionage
While UNC2452 deployed SUNBURST through the SolarWinds update, SilverFish was inside SolarWinds itself - monitoring the build environment, reading victim data as it flowed through the supply chain, watching 4,700 organizations from a single vantage point inside the update pipeline.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1078
Valid Accounts
Persistence
T1550.001
Application Access Token
Lateral Movement
T1213
Data from Information Repositories
Collection
T1070
Indicator Removal
Defense Evasion
Notable Operations
  • Secondary exploitation of SolarWinds victim networks (2020–2021)
  • SUNSPOT implant on SolarWinds build system
  • Access to 4,700+ victim environments at peak
  • Coordinated with UNC2452 SolarWinds operations
Defenses
  • Software build pipeline integrity monitoring and signing
    NIST CSF: ID.SC
  • OAuth token audit and conditional access enforcement
    CIS Control 6
  • Privileged identity management for build and deployment systems
    CIS Control 5
  • Zero-trust lateral movement controls for cloud environments
    CISA Zero Trust Maturity
Reversed: Their Weakness
The SolarWinds compromise's discovery triggered one of the most extensive threat-hunting operations in corporate history - while SilverFish had exceptional access, the forensic response it triggered permanently hardened software supply chain practices industry-wide.

Share this adversary profile

swipe to browse

← PreviousThe GhostwriterNext →The Petty Face
Related Adversaries
The Invisible Chain
UNC2452
2 shared TTPs
The Shadow Court
APT29
2 shared TTPs
The Red Star
RedHack
2 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.