In Microsoft’s analysis of the SUNBURST/Solarigate embedded in SolarWind’s Orion they estimate it contains 4,000 lines of code. What did that cost to build? What does that tell us about the threat actors?

This is just a bit of navel gazing on my part…

An essay by D Wheeler estimated that Redhat 7.1’s 30 million lines of source code took USD1.08 Billion to build (based on 2000 average software developer salaries). That’s about USD36 per Line of Code in year 2000 dollars; USD36 is a fully loaded cost that includes administrative overhead and other expenses attached to employing a developer and making them productive. In 2000, the average developer salary was reported to be USD56,286; adjusted to current average developer salaries of 2020 which is USD103,620 brings that up 84% which results in a cost of USD66. Admittedly, pay scales and accounting practices for national intelligence is different to what we know in the corporate world, but you still have to pay your people something reasonable and you still have to explain your expenses to defense appropriate committees. The numbers are also US based averages and will be different from other parts of the world. Regardless, it’s numbers I can work with in the absence of anything better.

That makes the costs of SUNBURST of at least USD266,000. I say at least because there’s also infrastructure costs, support functions, operators, intelligence operators. There’s also the cost of getting into SolarWinds. It also doesn’t factor in the cost of TEARDROP, the second stage of the attack that was downloaded by SUNBURST. Even if you multiplied the cost by ten to account for all of that and called it USD2.6 million, it’s still a pretty good rate of return when you consider it got the threat actors into at least 40 organizations (per Microsoft) at a cost of USD65,000 per org. Considering the cost of significant munitions like missiles, that’s inline with military spending. What this campaign actually net the threat actors? Nobody that knows is saying, but I bet this was money well invested. Would organized crime have spent money like this when there are cheaper black market alternatives?

However, pricing of a strategic objective for a national intelligence function is not something I don’t know how to do; but if the objective was important to the threat actors then the money spent to achieve delivered value to them. If SUNBURST did produce the desired return then think about the following: (1) Would the threat actor need to or want to monitize this capability? (2) Why were they willing to go after FireEye and risk making an “unforced error” that led to their detection? On the first question, I doubt the code will be monetized (although the approach will probably be copied). I doubt that for three reasons: (i) national intelligence functions usually don’t sell their tools although sometimes there’s cross pollination to other related threat actor groups but it’s not frequent; (ii) the command and control infrastructure’s been burned and as far as we know right now, the code doesn’t phone home elsewhere for instructions so it’s not useful as a turnkey solution; and (iii) finally, SUNBURST has been exposed and technical indicators to detect are widely deployed so it’s not usable unless the target is completely oblivious of the situation and doesn’t run defenses that get signature updates. On the second question, why did they go after FireEye that led to them being detected; maybe the threat actor had achieved their mission and wanted to test themselves or show up one of the premiere threat intelligence and incident response company. Whatever the reason was, it was likely at the end of the very stealthy campaign and this was just bonus points.

TL;DR: The threat actor probably got a solid return on their investment probably won’t be selling their tooling. Hacking FireEye was probably not the main objective given the investment made. This probably wasn’t a financially motivated threat actor.