Blog
← Back to Blog
December 15, 2020 cybersecurity

The SolarWinds Hack: The Most Sophisticated Cyberattack in History

Global cyber espionage and supply chain attack

This week, the cybersecurity world discovered what may be the most sophisticated cyberattack in history. Russian state-sponsored hackers compromised SolarWinds, a widely-used IT management software company, and inserted malicious code into a routine software update. That update was installed by approximately 18,000 organizations, including the US Treasury, the Department of Homeland Security, the Department of State, and major corporations.

This is the supply chain attack we've been warning about since NotPetya in 2017. But at a scale and sophistication that exceeds anything we've previously seen.

What Happened

  1. Hackers gained access to SolarWinds' software development environment
  2. They inserted malicious code (called "SUNBURST") into a legitimate software update for SolarWinds' Orion platform
  3. SolarWinds distributed the compromised update through their normal channels between March and June 2020
  4. Approximately 18,000 organizations installed the update, unknowingly giving the attackers backdoor access
  5. The attackers then selectively targeted specific high-value organizations for deeper infiltration
  6. The attack went undetected for 9 months until cybersecurity firm FireEye discovered it while investigating a breach of their own systems

Why This Is Different

Supply Chain Perfection

The attackers didn't just compromise an update server (like NotPetya did with M.E.Doc). They infiltrated the software build process itself, inserting code that was compiled into the official software and digitally signed by SolarWinds. The malicious update was indistinguishable from a legitimate one. Even security teams reviewing the update would see a properly signed SolarWinds package.

Patience and Stealth

The malware waited 12-14 days after installation before activating. It communicated with command servers disguised as legitimate SolarWinds traffic. It disabled security tools before operating. It used techniques specifically designed to evade detection. This wasn't a smash-and-grab. It was a long-term espionage operation.

Government Targets

The confirmed victims include: Treasury Department, Commerce Department, Homeland Security, State Department, parts of the Pentagon, the National Institutes of Health, and numerous Fortune 500 companies. The scope of potential intelligence compromise is enormous.

What This Means for Your Practice

Your practice doesn't use SolarWinds Orion. But the principle applies directly:

Every software update you install is an act of trust. You trust the vendor to secure their development process, their build systems, and their distribution channels. SolarWinds demonstrated that this trust can be exploited at the highest levels.

Practical takeaways:

  • Know your vendors. What IT management tools does your MSP use? What software has access to your network? Each one is a potential supply chain vector.
  • Monitor for unusual behavior. SolarWinds went undetected for 9 months because nobody was monitoring for unusual network traffic patterns. Even basic network monitoring can detect anomalies.
  • Segment and limit. If a compromised tool has access to everything on your network, one supply chain attack compromises everything. Network segmentation and least-privilege access limit the damage.
  • Stay informed. Follow your software vendors' security advisories. When incidents like SolarWinds are disclosed, check whether any of your tools are affected.

SolarWinds is the most consequential cyberattack of the decade. The full scope of the compromise will take months or years to understand. What we know already is sobering enough.