Basic DNS filtering neuters this malware.

Regardless of whether Orion can reach the Internet, if sunburst can't resolve the top-level domain used for C2, it deactivates. Much like Wannacry from three years ago. The C2 domain has been marked as malware by most threat intel providers for some time.

These are basic controls even 10-employee SMBs have in place today. Unless they're lazy and ignorant.

Edit: working on confirming a report that FEYE's Orion simply had a stored password to an Amazon S3 bucket where FireEye's tools were sitting. Hacking unsecured S3 bucket = 15 year-old script kiddie stuff, not nation-state level hacking.

Basic DNS filtering neuters this malware.

Regardless of whether Orion can reach the Internet, if sunburst can't resolve the top-level domain used for C2, it deactivates. Much like Wannacry from three years ago. The C2 domain has been marked as malware by most threat intel providers for some time.

These are basic controls even 10-employee SMBs have in place today. Unless they're lazy and ignorant.