Cyber Incident Victim: Chemical Security Assessment Tool
Date:
Dec 2020
Location:
United States of America
Summary
A state-sponsored cyberattack compromised SolarWinds' Orion software through trojanized updates, enabling widespread supply chain infiltration. The attackers pivoted to Microsoft's internal systems, leveraging its products to target additional entities, though Microsoft denied unauthorized access to production services or customer data. The incident impacted numerous US government agencies—including departments overseeing treasury, commerce, health, energy, and homeland security—alongside cybersecurity firm FireEye. CISA confirmed evidence of multiple initial intrusion methods beyond the SolarWinds platform. Both Microsoft and FireEye played key roles in identifying the breach and disrupting the attackers' command-and-control infrastructure by sinkholing malicious domains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The SolarWinds supply chain compromise, first identified in December 2020, involved state-sponsored attackers inserting malicious code into legitimate updates for the SolarWinds Orion network monitoring platform. This trojanized software allowed unauthorized access to victim networks that installed the compromised updates. The attackers subsequently exploited this initial foothold to pivot to other systems, including Microsoft's internal corporate network, as reported by Reuters on December 17, 2020. Microsoft confirmed finding malicious SolarWinds binaries in its environment but stated no evidence existed of production system compromises or customer data access. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert confirming the SolarWinds Orion platform breach while noting evidence of additional initial access vectors beyond the software supply chain attack.
High-profile victims included multiple US government agencies: the Treasury Department, Department of Commerce's National Telecommunications and Information Administration, Department of Health's National Institutes of Health, Department of Homeland Security, Department of State, National Nuclear Security Administration, Department of Energy, and CISA itself. Three unnamed US state governments and cybersecurity firm FireEye were also compromised through the SolarWinds platform. Microsoft and FireEye jointly confirmed the breach on December 13, 2020, publishing technical analyses of the attack methodology. Both companies participated in neutralizing attacker infrastructure by sinkholing the command-and-control domain used to operate the malware. Incident response actions included isolating and removing malicious SolarWinds binaries from affected networks, though investigations remained ongoing at the time of reporting. The incident demonstrated broad impacts across federal civilian agencies and critical infrastructure entities through a single software supply chain compromise.