December 13, 2020. A date that will forever live in cybersecurity infamy.
It started quietly. FireEye, one of the world's most respected cybersecurity firms, announced that it had been breached. The hackers had stolen the company's "red team" tools — the very same tools FireEye uses to test its clients' defenses. This was like learning that the locksmith had been robbed of his master key set.
But that was only the tip of the iceberg.
Over the following days and weeks, a horrifying picture emerged. The same attackers had compromised SolarWinds, a Texas-based IT management software company. Through SolarWinds, they had inserted a backdoor into a legitimate software update. That poisoned update had been downloaded by over 18,000 organizations worldwide — including multiple departments of the United States government.
The SolarWinds attack (also known as Operation Sunburst or UNC2452) is widely considered the most sophisticated and impactful supply chain cyberattack in history. It exposed a fundamental vulnerability in our global digital infrastructure: the blind trust we place in software updates.
This comprehensive guide will walk you through every aspect of the SolarWinds attack — from its technical execution to its geopolitical implications, from the victims to the lessons learned. By the end, you will understand why security professionals call this "the breach that rewrote the rulebook."
---
WHAT WAS SOLARWINDS?
Understanding the Target
Before we dissect the attack, we must understand the company at its center.
Company Background
SolarWinds was founded in 1999 in Tulsa, Oklahoma. Over two decades, it grew into a global software company with over 300,000 customers worldwide. Its client list read like a who's who of global enterprise and government:
- 99 of the Fortune 100 companies
- All 10 of the world's top telecommunications companies
- All 5 branches of the U.S. military
- The Pentagon
- The State Department
- The White House
- NASA
- Major financial institutions, universities, and healthcare providers
---
The Orion Platform
SolarWinds' crown jewel was the Orion Platform — an IT performance monitoring and management system. Orion helps network administrators see what is happening across their entire infrastructure: servers, routers, switches, applications, and cloud services.
Here is why Orion was such an attractive target:
IT administrators install Orion on the most privileged servers in their networks — often domain controllers or dedicated management servers. These servers have the highest level of access, including administrative credentials and the ability to move laterally across the network.
If you could compromise Orion, you could effectively own the entire network.
---
THE ATTACKERS
Who Was Behind SolarWinds?
The cybersecurity community quickly attributed the SolarWinds attack to a Russian state-sponsored hacking group. Different security firms gave them different names:
- APT29 (Mandiant/FireEye)
- Cozy Bear (CrowdStrike)
- UNC2452 (FireEye internal tracking)
- Nobelium (Microsoft)
---
Profile of APT29
APT29 is widely believed to operate under the auspices of the Russian Foreign Intelligence Service (SVR), the successor to the KGB's foreign intelligence branch. Key characteristics of this group include:
Extreme patience: APT29 is known for long-term, carefully planned operations. The SolarWinds compromise was no exception — they were inside SolarWinds for nearly nine months before the attack was discovered.
Operational security: The group meticulously covered their tracks, using encrypted communications, living-off-the-land techniques (using existing system tools rather than installing malware), and careful data exfiltration.
Target selection: APT29 does not spray and pray. They carefully select high-value targets for espionage objectives.
Prior activities: Before SolarWinds, APT29 was known for the 2016 Democratic National Committee (DNC) breach and the 2017 attack on the Norwegian Labour Party.
---
Motivation: Espionage, Not Destruction
Crucially, the SolarWinds attack was an espionage operation, not a destructive one. The attackers were not interested in deleting data or deploying ransomware. They wanted to steal secrets — intelligence, diplomatic communications, internal planning documents, and technical research.
This made the attack harder to detect. Destructive attacks leave obvious wreckage. Espionage, by design, leaves almost no trace.
---
THE ATTACK TIMELINE
A Step-by-Step Breakdown
The SolarWinds attack unfolded over many months. Here is the complete timeline.
---
Phase 1: Initial Reconnaissance (Early 2019)
The attackers began probing SolarWinds' external infrastructure. They scanned for vulnerabilities, identified employees on LinkedIn, and mapped SolarWinds' development environment.
---
Phase 2: Initial Access (September 2019)
Using unknown methods (possibly stolen credentials or a zero-day vulnerability), APT29 gained a foothold inside SolarWinds' corporate network. From there, they began moving laterally toward the crown jewel: the Orion build environment.
---
Phase 3: Building the Backdoor (October 2019 - February 2020)
Once inside the build environment, the attackers modified the Orion software compilation process. They inserted malicious code into the Orion software before it was compiled and signed with SolarWinds' legitimate digital certificate.
The malicious code was cleverly named "SolarWinds.Orion.Core.BusinessLayer.dll" — a name that blended in with hundreds of legitimate Orion components.
This backdoor, dubbed SUNBURST by FireEye, was designed to:
1. Activate only after a dormant period of 12-14 days
2. Communicate with command-and-control domains that mimicked legitimate SolarWinds domains (e.g., avsvmcloud[.]com)
3. Blend in with normal SolarWinds traffic
4. Download additional payloads only on high-value targets
---
Phase 4: Distribution (February - May 2020)
On February 20, 2020, SolarWinds released Orion software update versions 2019.4 HF5, 2020.2, and 2020.2 HF1. These updates contained the SUNBURST backdoor.
The updates were signed with SolarWinds' valid digital certificate. To any antivirus or security tool, they appeared completely legitimate. Over 18,000 customers downloaded and installed the poisoned updates.
---
Phase 5: Selective Activation (March - June 2020)
The SUNBURST backdoor did not activate for every victim. It was designed to "phone home" and then download additional payloads only if the attackers deemed the target interesting.
Microsoft later estimated that fewer than 1,000 of the 18,000 victims received the second-stage payload — a more capable backdoor called TEARDROP or RAINMAN.
These second-stage victims were the true targets: government agencies, defense contractors, technology companies, and think tanks.
---
Phase 6: Data Exfiltration (June - December 2020)
Throughout the summer and fall of 2020, the attackers quietly exfiltrated data from the high-value targets. They used techniques designed to evade detection:
- Exfiltrating data in small chunks (under 1 MB)
- Using encrypted tunnels
- Mimicking legitimate administrative traffic
- Operating during business hours to blend in
---
Phase 7: Discovery (December 2020)
On December 8, 2020, a FireEye employee noticed an anomaly while reviewing logs. Something was not right. Over the following days, FireEye investigators discovered the SUNBURST backdoor in their own environment.
On December 13, FireEye publicly disclosed the breach. On December 14, SolarWinds acknowledged that its Orion software had been compromised.
The cybersecurity world erupted.
---
TECHNICAL DEEP DIVE
How SUNBURST Actually Worked
Non-technical readers may skip this section, but for security professionals, the technical sophistication of SUNBURST is breathtaking.
---
The Backdoor: SUNBURST
SUNBURST was not a typical malware. It was a masterpiece of evasion.
Dormancy period: Upon installation, SUNBURST did nothing for 12-14 days. This bypassed sandbox environments, which typically analyze software for only a few minutes or hours.
Domain generation algorithm (DGA): Instead of hardcoding a command-and-control (C2) domain — which could be blocked — SUNBURST used a DGA to generate potential C2 domains based on the current date and a hardcoded seed.
DNS resolution: SUNBURST would attempt to resolve these generated domains. Only the attackers controlled the specific domain for the current date.
Network traffic camouflage: The C2 communication used HTTP requests that mimicked the Orion Improvement Protocol (OIP) — legitimate SolarWinds traffic. The requests looked identical to normal Orion update checks.
Second-stage filter: Before downloading any additional payload, SUNBURST checked for specific conditions: the presence of domain controllers, specific registry keys, or network configurations. This ensured that only high-value targets received the more dangerous malware.
---
The Second Stage: TEARDROP
For victims selected for deeper compromise, SUNBURST downloaded TEARDROP — a sophisticated in-memory backdoor.
Key features of TEARDROP:
- Fileless execution: TEARDROP never wrote itself to disk. It ran entirely in memory, leaving no forensic evidence on the hard drive.
- Custom encryption: All communications used custom encryption schemes, making decryption without the key nearly impossible.
- Lateral movement tools: TEARDROP deployed tools to move across the network, steal credentials, and access other systems.
---
The Third Stage: Manual Activity
Once TEARDROP established persistent access, the attackers moved manually. This is sometimes called "keyboard time" — the attackers were actively typing commands on compromised systems.
They used legitimate administrative tools (a strategy called "living off the land"):
- PowerShell scripts for reconnaissance
- RDP (Remote Desktop Protocol) for lateral movement
- WMI (Windows Management Instrumentation) for executing commands
- Mimikatz for stealing credentials from memory
This made detection extremely difficult because the attackers were not using malware — they were using the same tools that system administrators use daily.
---
THE VICTIMS
Who Was Affected?
The full victim list of the SolarWinds attack has never been completely disclosed. However, public reporting has identified dozens of high-profile victims.
---
U.S. Government Agencies
The attack breached multiple federal agencies at an unprecedented scale:
- Department of Homeland Security (DHS) — including cybersecurity components
- Department of Treasury — including the Office of the Comptroller of the Currency
- Department of Commerce — including the National Telecommunications and Information Administration (NTIA)
- Department of State — classified diplomatic communications
- Department of Energy — including nuclear security agency
- Department of Justice — including non-public court documents
- Department of Health and Human Services — including pandemic-related planning
- National Institutes of Health (NIH)
- Centers for Disease Control and Prevention (CDC)
- The Pentagon (limited access)
---
Technology Companies
Several major technology companies were also compromised, using SolarWinds as the entry point:
- Microsoft — the attackers read source code repositories
- FireEye — the original discoverer was itself compromised
- VMware
- Intel
- Cisco (limited)
- Nvidia
---
Other Notable Victims
- AT&T
- Verizon
- Deloitte
- Accenture
- Several major banks (undisclosed)
- Multiple universities and research institutions
---
What Was Stolen?
The exact scope of stolen data remains classified. However, based on public reporting, the attackers accessed:
- Internal government emails
- Diplomatic communications
- Source code for major technology products
- Security tool configurations (including FireEye's red team tools)
- COVID-19 research data
- Nuclear weapons-related information (Department of Energy)
---
WHY SOLARWINDS WAS SO DEVASTATING
### Three Factors That Made This Attack Unique
Security experts agree that SolarWinds represented a quantum leap in cyberattack sophistication.
---
### Factor 1: Trust Exploitation
The entire digital economy runs on trust. We trust that a signed software update from a reputable company is safe. The SolarWinds attack weaponized that trust.
When a system administrator saw that the Orion update was digitally signed by SolarWinds, they installed it without a second thought. The same signature that proved legitimacy also proved to be the attack vector.
This is sometimes called a "trusted adversary" scenario — the attacker operates from within the circle of trust.
---
### Factor 2: The Blast Radius
Traditional cyberattacks target one organization at a time. SolarWinds targeted thousands simultaneously.
By compromising a single software vendor, the attackers potentially gained access to over 18,000 organizations. This is the nightmare scenario of supply chain attacks — the "single point of failure" vulnerability multiplied across the entire customer base.
---
### Factor 3: Invisibility
Most cyberattacks leave obvious signs: unusual network traffic, new processes, file changes, registry modifications.
The SolarWinds attackers were meticulous about stealth:
- The SUNBURST backdoor blended into normal Orion traffic
- The attackers used legitimate administrative tools
- They operated during business hours
- They exfiltrated data in small chunks
- They deleted logs after moving through systems
The attack went undetected for nine months. Even after detection, investigators struggled to determine the full scope of the compromise.
---
THE RESPONSE
The discovery of the SolarWinds attack triggered an unprecedented response.
Immediate Response (December 2020 - January 2021)
Emergency directives: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, ordering all federal civilian agencies to immediately disconnect any SolarWinds Orion instances from their networks.
Incident response surge: Every major cybersecurity firm mobilized incident response teams. Microsoft alone assigned over 500 engineers to investigate the breach.
Government attribution: On January 4, 2021, the FBI, CISA, and ODNI jointly attributed the attack to the Russian SVR.
---
Sanctions and Diplomacy (April 2021)
In April 2021, the Biden administration announced sanctions against Russia in response to SolarWinds:
- Expulsion of 10 Russian diplomats
- Sanctions against 32 Russian entities and individuals
- New sanctions against Russian sovereign debt
- Formal attribution of SolarWinds to Russian intelligence
Russia denied any involvement.
---
The Executive Order (May 2021)
On May 12, 2021, President Biden signed Executive Order 14028 on "Improving the Nation's Cybersecurity." This landmark order was directly inspired by SolarWinds:
- Mandated the use of multi-factor authentication (MFA) across federal agencies
- Required the adoption of zero-trust architectures
- Mandated the use of Software Bills of Materials (SBOMs) for all software purchased by the government
- Created a standard for software supply chain security
- Required breach notification within a specific time window
---
THE AFTERMATH
What Happened to SolarWinds?
The company itself suffered catastrophic damage.
Stock price: SolarWinds stock dropped over 40% in the days following disclosure. It took nearly two years to recover.
Reputation damage: Once a trusted name in IT management, SolarWinds became synonymous with one of the worst breaches in history.
Lawsuits: Shareholders filed class-action lawsuits alleging that SolarWinds misled investors about its security practices.
SEC investigation: The Securities and Exchange Commission opened an investigation into whether SolarWinds had adequately disclosed its security risks.
Leadership changes: CEO Kevin Thompson stepped down in August 2021. The company appointed a new CISO and security team.
Resilience: Despite the damage, SolarWinds survived. By 2024, the company had rebuilt its security posture and customer base, though the stain of the attack remains.
---
LESSONS LEARNED
What the Cybersecurity Industry Learned
SolarWinds was a wake-up call. Here are the most important lessons.
---
Lesson 1: Trust Must Be Verified
The old model of "trust but verify" is dead. The new model is "never trust, always verify."
Zero trust architecture is no longer optional. Every software update, every vendor connection, every API call must be authenticated, authorized, and encrypted — even if it comes from a trusted source.
---
Lesson 2: The SBOM Is Essential
After SolarWinds, the Software Bill of Materials (SBOM) became a critical security tool. An SBOM is a complete list of all components, libraries, and dependencies in a software product.
If organizations had SBOMs, they could have instantly identified which of their systems had the vulnerable Orion version. Without SBOMs, many organizations spent weeks manually inventorying their software.
---
Lesson 3: Build Security Must Match Runtime Security
Most security spending goes toward protecting running systems (firewalls, EDR, SIEM). But SolarWinds showed that the build environment — where software is compiled — is equally critical.
Securing the software supply chain means:
- Protecting build servers with the same rigor as production servers
- Implementing code signing with hardware security modules
- Requiring multi-party approval for changes to build pipelines
- Continuous monitoring of build processes
---
Lesson 4: Assume Breach
The "assume breach" mindset — accept that attackers may already be inside your network — was validated by SolarWinds.
Instead of focusing entirely on prevention, organizations must also invest in detection and response capabilities. The question is not "if" you will be breached but "when" — and how quickly you can detect and contain the breach.
---
Lesson 5: Supply Chain Risk Is Board-Level Risk
Before SolarWinds, supply chain security was often considered an IT problem. After SolarWinds, it became a board-level risk.
Public companies now regularly disclose supply chain risks in SEC filings. Boards of directors now ask: "What is our exposure to third-party software vendors?"
---
TECHNICAL CONTROLS
How to Protect Your Organization
Based on lessons from SolarWinds, here are specific technical controls every organization should implement.
---
Control 1: Application Allowlisting
Allowlisting (formerly whitelisting) ensures that only approved software can run on your systems. If a SolarWinds update had been compromised but the binary hash changed, allowlisting would have blocked it.
Implementation: Use Windows Defender Application Control (WDAC), AppLocker, or third-party tools.
---
Control 2: Network Segmentation
SolarWinds Orion servers should never have direct access to the internet or to domain controllers without explicit controls.
Implementation: Segment your network using VLANs, firewalls, and software-defined networking. Place high-value assets in isolated "crown jewel" segments.
---
Control 3: Just-in-Time (JIT) Privilege
No server should have standing administrative privileges. Instead, use JIT elevation for specific tasks.
Implementation: Use tools like Microsoft Entra Privileged Identity Management (PIM) or CyberArk to grant admin rights only when needed and only for limited durations.
---
Control 4: Behavioral Monitoring
Signature-based detection failed to catch SUNBURST. Behavioral monitoring is required.
Implementation: Deploy EDR solutions that look for anomalous behavior — unusual outbound connections, unexpected process creation, or abnormal registry changes.
---
Control 5: Vendor Security Assessments
Vendor security cannot be a checkbox exercise. It requires continuous assessment.
Implementation: Use vendor risk management platforms (e.g., SecurityScorecard, BitSight, OneTrust) to continuously monitor your third-party vendors for security issues.
---
Control 6: Build Environment Hardening
The SolarWinds build environment was compromised. Yours must be hardened.
Implementation:
- Use hardware security modules (HSMs) for code signing
- Require multiple approvals for build changes
- Monitor build servers for anomalies
- Use ephemeral build environments (created fresh for each build)
---
REGULATORY IMPACT
How SolarWinds Changed the Law
The SolarWinds attack triggered a wave of new regulations and proposed legislation.
---
Executive Order 14028
As mentioned above, EO 14028 fundamentally changed federal cybersecurity requirements, including mandatory SBOMs, zero trust adoption, and enhanced supply chain security.
---
SEC Proposed Rules
The SEC proposed new rules requiring public companies to disclose:
- Material cybersecurity incidents within four days
- Their cybersecurity risk management processes
- Board oversight of cybersecurity risks
- Supply chain security practices
---
State Laws
Several states passed laws requiring:
- SBOMs for software sold to state agencies
- Vulnerability disclosure programs
- Breach notification within specific timeframes
---
International Impact
The European Union, United Kingdom, Australia, and Canada all announced reviews of their software supply chain security requirements following SolarWinds.
---
FREQUENTLY ASKED QUESTIONS
---
Q1: Why did the SolarWinds attack go undetected for so long?
A: Several factors contributed: the attackers used legitimate digital certificates, the malicious code blended into normal traffic, they employed fileless techniques, and they deleted logs. The attack was designed from the ground up for stealth, not speed.
---
Q2: Could SolarWinds have prevented the attack?
A: With perfect hindsight, yes. With the security practices common in 2019-2020, no. SolarWinds was not uniquely negligent — their security was average for a software company of their size. The attack exposed industry-wide weaknesses, not just SolarWinds-specific failures.
---
Q3: Was my data stolen in SolarWinds?
A: If you are a private individual, unlikely. The attack targeted government and enterprise secrets. However, if you work for a government agency or large technology company that used SolarWinds, you should check with your IT department.
---
Q4: Is SolarWinds software safe to use now?
A: SolarWinds has rebuilt its security posture. The company has undergone multiple independent audits and has implemented significant security improvements. However, any organization using SolarWinds should follow the security controls outlined above.
---
Q5: Who was responsible for the SolarWinds attack?
A: The U.S. government formally attributed the attack to the Russian Foreign Intelligence Service (SVR). Russia has denied responsibility.
---
Q6: What is the difference between SUNBURST, TEARDROP, and RAINMAN?
A: SUNBURST was the initial backdoor in the Orion update. TEARDROP and RAINMAN are names for the second-stage malware deployed on high-value targets after initial compromise.
---
Q7: Did the SolarWinds attack affect elections?
A: No. The SolarWinds attack was an espionage operation targeting government and corporate secrets. There is no evidence it affected any election systems.
---
Q8: How much did the SolarWinds attack cost?
A: Estimates vary, but the total cost likely exceeds $100 billion when counting government response, remediation, legal fees, and lost productivity. SolarWinds alone spent over $50 million on direct response costs.
---
CONCLUSION
The Breach That Changed Everything
The SolarWinds attack was not just another data breach. It was a systemic failure of our global software supply chain. It demonstrated that a single compromised vendor could become a backdoor into thousands of organizations, including the most sensitive government agencies in the world.
But SolarWinds also taught us valuable lessons. It accelerated the adoption of zero trust architecture. It made SBOMs a standard security requirement. It elevated supply chain security from an IT concern to a boardroom priority. And it forced governments around the world to rethink their approach to cyber defense.
The attackers may have stolen secrets, but they also revealed our vulnerabilities. The question now is whether we will learn from those revelations — or wait for the next SolarWinds.
CALL TO ACTION
Do not wait for the next supply chain attack to compromise your organization. Take action today:
1. Inventory all third-party software vendors
2. Request SBOMs for critical applications
3. Implement application allowlisting
4. Segment your network with zero trust principles
5. Deploy behavioral monitoring (EDR)
6. Conduct tabletop exercises for supply chain breach scenarios
The next SUNBURST is already being planned. Make sure you are ready.
---
ADDITIONAL RESOURCES
- CISA Emergency Directive 21-01
- Executive Order 14028
- FireEye's SUNBURST analysis (Mandiant)
- Microsoft's Nobelium threat intelligence
- SolarWinds Security Advisory