Quiz Entry - updated: 2026.07.05
What was the SolarWinds hack, and why is it considered one of the most significant supply chain attacks in history?
A nation-state supply chain attack (attributed to Russian SVR/APT29) that compromised ~18,000 organizations through a trojanized software update.
How it worked:
- Attackers compromised SolarWinds' build environment for the Orion IT monitoring platform
- Injected malicious code called the SUNBURST backdoor — pushed to customers unknowingly as part of three separate patches
- The malicious code was inserted during compilation at SolarWinds, so the trojanized update was digitally signed by SolarWinds and distributed as a legitimate update
- ~18,000 customers worldwide installed the compromised update
- The backdoor let attackers intercept communications and steal data, blending in with normal Orion traffic
Timeline:
- Jan 2020: Attack period begins
- Dec 2020: Breach made public; security vendor FireEye was first to discover it
- The attack ran January–December 2020 and went undetected for 8 months
Why it was devastating:
- ~18,000 organizations affected worldwide, including Google and the US government
- The attack exploited trust in the software supply chain — customers trusted SolarWinds' signed updates
- Traditional perimeter security was useless since the malware came from inside a trusted tool
- Professional tradecraft: the malware was de-compiled and re-compiled before deployment to obscure clues about its origin, and the injection was a minimal change — in the build process a file was simply renamed, with no extra process running on the system, making it nearly invisible
Key lesson: Supply chain attacks bypass all traditional defenses because they compromise trusted software before it reaches the customer. Zero Trust architecture and software supply chain verification (e.g., SBOMs, build attestation) are essential countermeasures.
Go deeper:
Wikipedia: 2020 United States federal government data breach — overview of scope, attribution (APT29/SVR), and the ~18,000 affected organizations.
CrowdStrike: SUNSPOT — An Implant in the Build Process — technical analysis of the SUNSPOT tool that watched the compiler and swapped in the SUNBURST source file during the Orion build.
TechTarget: SolarWinds response team recounts early days of attack — incident responders (CrowdStrike, KPMG, SolarWinds) on how the breach was found, including the powered-off VM that held the compiled bad code.