Cyber Incident Victim: U.S. Department of State
Date:
Dec 2020
Location:
United States of America
Summary
A state-sponsored cyberattack compromised the SolarWinds Orion software supply chain, enabling unauthorized access to multiple US government agencies including the Department of State, Treasury, Commerce, Homeland Security, and Energy, alongside private sector entities. The attackers leveraged trojanized updates to infiltrate networks, with evidence suggesting lateral movement to Microsoft's systems and potential misuse of its products for further exploitation, though Microsoft denied breaches of production services or customer data. The incident impacted critical infrastructure and national security organizations, prompting collaborative response efforts from cybersecurity firms FireEye and Microsoft to disrupt malicious command-and-control infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The SolarWinds supply chain attack, first publicly disclosed in December 2020, involved state-sponsored hackers compromising the software build system of SolarWinds, a network management vendor. This breach enabled the insertion of malicious code into legitimate updates for the SolarWinds Orion platform, which were then distributed to approximately 18,000 customers between March and June 2020. The trojanized updates established initial access to victim networks, allowing attackers to conduct follow-on operations. On December 17, 2020, Reuters reported that the threat actors had pivoted from SolarWinds to Microsoft's internal corporate network, leveraging Microsoft's systems to facilitate attacks against other organizations. Microsoft confirmed finding malicious SolarWinds binaries in its environment but denied any evidence of access to production services, customer data, or use of its systems to attack third parties.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert confirming the SolarWinds compromise impacted multiple federal agencies and private entities. Among the confirmed victims were the US Department of State, US Treasury, Department of Homeland Security (including CISA itself), Department of Energy, National Nuclear Security Administration, Department of Commerce's NTIA, Department of Health's NIH, and three unnamed US state governments. Cybersecurity firm FireEye was the sole private entity acknowledging compromise through the SolarWinds vector at the time of reporting. FireEye and Microsoft played key roles in the response, publishing technical analyses of the attack methodology and collaborating to sinkhole the command-and-control domain used by the malware. CISA noted evidence of additional initial access vectors beyond the SolarWinds Orion platform, indicating the operation's sophistication. The incident represented one of the most extensive compromises of US government systems in history, with investigations ongoing to determine the full scope of data exfiltration and operational impacts across affected organizations.