Cyber Incident Victim: SolarWinds
Date:
Mar 2020
Location:
United States of America
Summary
A sophisticated supply chain attack compromised SolarWinds' Orion software updates, distributing the Sunburst backdoor to over 18,000 customers. State-sponsored threat actors, suspected to be Russian-aligned, infiltrated the build system to insert malicious code that communicated with attacker-controlled domains, enabling data exfiltration from high-value targets including U.S. government agencies and technology firms. Additional malware variants like SUPERNOVA were deployed through the same compromised platform. While the malicious update broadly impacted SolarWinds clients, selective follow-on intrusions focused on espionage objectives, with attackers operating undetected for months. Mitigation efforts included domain sinkholing and quarantining affected components.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The SolarWinds cyberattack, disclosed in December 2020, began with FireEye's announcement on December 8th that it had been breached by a nation-state advanced persistent threat (APT) group, which stole Red Team assessment tools. Five days later, on December 13th, Microsoft, FireEye, SolarWinds, and the U.S. government issued a coordinated report confirming SolarWinds' Orion software had been compromised by state-sponsored actors believed to be part of the Russian S.V.R. The attackers infiltrated SolarWinds' Orion build system and inserted a malicious backdoor, dubbed Sunburst, into the software's updates. This backdoor, embedded within a digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file, was distributed to customers through automatic updates starting around March 2020. Once installed, the compromised DLL established communication with the command-and-control domain avsvmcloud[.]com to receive and execute attacker directives. Evidence suggests the threat actors may have conducted a dry run of the attack as early as October 2019, though the active campaign remained undetected for months after the March 2020 deployment, allowing stealthy data collection from targeted networks.
The attack impacted numerous high-profile entities, including FireEye, the U.S. Treasury, National Telecommunications and Information Administration (NTIA), Department of Homeland Security (DHS), National Institutes of Health (NIH), Department of Energy (DOE), and National Nuclear Security Administration (NNSA), alongside private sector victims like Cisco. While over 18,000 SolarWinds customers received the malicious update, forensic analysis indicated only a subset of high-value targets were actively exploited. Researchers identified additional malware strains linked to the campaign, including SunSpot (used to monitor the Orion build process), Teardrop (a memory-only dropper), and RainDrop (a post-exploitation loader). Attribution efforts associated the operation with threat actor UNC2452/Dark Halo, with unconfirmed links to APT29/Cozy Bear, while U.S. Secretary of State Mike Pompeo publicly attributed the attack to Russia. In response, Microsoft began forcibly quarantining compromised Orion binaries on December 16th, GoDaddy disrupted the Sunburst C2 infrastructure by redirecting avsvmcloud[.]com to a sinkhole IP address (20.140.0.1), and security firms released detection tools and hashes of malicious files. SolarWinds also disclosed a separate malware campaign, SUPERNOVA, which exploited an Orion authentication bypass vulnerability unrelated to Sunburst. The incident highlighted systemic supply chain vulnerabilities, with remediation efforts focusing on identifying compromised systems through SolarWinds' advisory, Microsoft's DLL list, and third-party forensic tools.