Cyber Incident Victim: National Institutes of Health

The SolarWinds supply chain compromise, attributed to state-sponsored actors, began with the insertion of malicious code into legitimate updates for the SolarWinds Orion network monitoring platform. This trojanized software was distributed to customers between March and June 2020, enabling attackers to establish footholds within victim networks. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on December 17, 2020, confirming the campaign's impact across federal agencies, critical infrastructure, and private organizations. Among the affected entities was the US Department of Health's National Institutes of Health (NIH), compromised through the installation of backdoored Orion software. Attackers leveraged initial access to pivot laterally, with evidence suggesting they exploited Microsoft's corporate environment to stage subsequent attacks against other targets using the technology giant's own products.

Microsoft confirmed finding malicious SolarWinds binaries in its systems but denied production system compromises or customer data exposure. FireEye and Microsoft led initial disclosures about the campaign on December 13, 2020, and collaborated to disrupt attacker command-and-control infrastructure by sinkholing a critical domain. The incident impacted at least nine federal agencies including NIH, the Departments of Treasury, State, Energy, Homeland Security, and Commerce's NTIA, alongside three US state governments and cybersecurity firm FireEye. CISA noted additional intrusion vectors beyond the Orion platform, though specifics weren't disclosed. Response actions centered on isolating infected systems, removing compromised SolarWinds components, and conducting forensic reviews. No public evidence detailed data exfiltration or operational disruption at NIH specifically, mirroring the broader pattern where most agencies disclosed compromise without confirming downstream impacts.