Cyber Incident Victim: Department of Homeland Security
Date:
Dec 2020
Location:
United States of America
Summary
The Department of Homeland Security was compromised as part of a state-sponsored supply chain attack targeting SolarWinds Orion software, where malicious updates enabled unauthorized access to multiple U.S. government agencies and private organizations. The attackers exploited the software to infiltrate networks, with evidence suggesting additional initial infection vectors beyond the SolarWinds platform, and leveraged compromised environments like Microsoft's to facilitate further breaches. Among the impacted entities were critical infrastructure organizations, federal departments including Treasury, State, Energy, and Commerce, as well as cybersecurity firm FireEye, though no evidence indicated production systems or customer data were accessed through Microsoft's infrastructure during the campaign.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The SolarWinds supply chain attack, first identified in December 2020, involved state-sponsored hackers compromising the Orion network monitoring software updates distributed by SolarWinds. This breach allowed malicious actors to infiltrate the networks of numerous organizations that installed the trojanized updates. Among the affected entities was the US Department of Homeland Security (DHS), which was confirmed as a victim alongside other high-profile government agencies. The attackers leveraged the compromised SolarWinds Orion platform as an initial access vector, though the US Cybersecurity and Infrastructure Agency (CISA) later disclosed evidence of additional intrusion methods beyond the Orion software. Microsoft also detected malicious SolarWinds binaries within its environment but stated it found no evidence of production system compromises or misuse of its infrastructure to attack third parties.
The incident’s scope expanded rapidly, with CISA issuing an alert on December 17, 2020, highlighting impacts across federal agencies, critical infrastructure, and private sector organizations. DHS was listed among the confirmed victims, which included the US Treasury, Department of Commerce, Department of State, Department of Energy, and three unnamed states. Cybersecurity firm FireEye was the sole private entity to publicly acknowledge a breach via the SolarWinds platform. Microsoft and FireEye played pivotal roles in the response, confirming the attack’s mechanics on December 13 and collaborating to sinkhole the command-and-control domain used by the malware. Both companies isolated and removed the malicious binaries from their systems, while federal investigations continued to assess the full extent of data exfiltration and operational disruptions. The breach underscored systemic vulnerabilities in software supply chains and triggered widespread scrutiny of third-party vendor security practices within government networks.