Imagine downloading a patch to update a critical system, and that patch contained the malware to hack you. That really happened. The SolarWinds supply chain attack was one of the most sophisticated and far-reaching cyber-espionage campaigns ever discovered. This episode marked a significant escalation in the tactics and impact of nation-state cyberattacks. As a trusted vendor for many high-ranking customers, SolarWinds was a gateway to hit many downstream victims at once.
What is SolarWinds and what does it do?
SolarWinds Corporation is a U.S.-based software company that develops IT management and monitoring tools used by government agencies, large enterprises, managed service providers, and critical infrastructure operators. Founded in 1999 and based in Austin, Texas, SolarWinds is best known for its flagship Orion platform product.
Orion is a centralized suite used by SolarWinds’ customers to monitor network performance, manage system configurations, track logs and events, and oversee infrastructure health and security.
In other words, Orion is deeply embedded in customer environments, often with elevated system privileges, making it a high-value target for compromise.
How did the attack happen?
The SolarWinds attack was discovered on December 8, 2020, by FireEye, a privately held cybersecurity company now known as Trellis.
The attackers infiltrated SolarWinds’ software build system and inserted a backdoor into a widely distributed update of its Orion IT monitoring software. The estimated start of the intrusion is September 2019.
- A backdoor is a method that allows authorized or unauthorized users to bypass standard security measures and gain access to a computer system, network, or software application. Essentially, it's a hidden entry point. This access can be used for legitimate purposes, such as remote administration by developers or IT staff. However, backdoors are more commonly associated with malicious intent and can be created with different types of malware.
The malware the attackers used to exploit the SolarWinds systems was SUNBURST. Once they breached SolarWinds’ build environment, they injected malware into Orion’s software updates and used legitimate certificates to sign poisoned builds.
Around 18,000 customers unknowingly installed the tainted update. At this point, the backdoor gave the attackers remote access to their systems with C2 architecture. The hackers further exploited some specific targets.
How did SUNBURST work?
SUNBURST, the backdoor used for the attack, impersonated legitimate Orion functionality. Once installed, it delayed its execution by two weeks to avoid detection. It used DNS-based C2 communications, it would cloud download and then execute second-stage payloads, such as TEARDROP (a Cobalt Strike loader), RAINDROP (a loader for lateral movement), and SUPERNOVA (a webshell discovered in a separate Orion exploitation).
Who was affected by the SolarWinds attack?
According to SolarWinds, more than 33,000 customers, including governments and Fortune 500 companies, were affected. Eighteen thousand downloaded the infected update. Among the confirmed targets were the U.S. Government (Department of State, Treasury, Homeland Security, Commerce, and Energy), FireEye (which discovered the attack), Microsoft, CrowdStrike, Intel, Cisco, Deloitte, VMWare, and many others, including some U.S. national laboratories and energy firms.
Mitigation steps
In response to the attack, SolarWinds rebuilt its development infrastructure, retired and patched the impacted Orion software versions, and rebranded and overhauled its security.
The U.S. Government (CISA) issued an emergency directive applying to all agencies under FISMA yo disconnect or power down all Orion products, retain the evidence, and rebuild the compromised infrastructure.
Microsoft boosted their efforts to disrupt C2 infrastructure. SUNBURST used a specific domain for their Command and Control Center: avsvmcloud[.]com. In collaboration with other security firms and the U.S. government, Microsoft legally seized control of this domain in mid-December 2020.
Furthermore, they implemented specific security measures (detections and blocks) into their security software.
Who was behind the attack?
U.S. agencies and private researchers attributed the attack to APT29 / Cozy Bear, a Russian Foreign Intelligence Service (SVR) hacking unit. The White House confirmed this in April 2021, leading to sanctions against Russia.
The SolarWinds case redefined supply chain attacks and led to global reforms in how organizations secure their development pipelines, vet their vendors, monitor trusted tools and update channels.
