SolarWinds — SUNBURST

Background

SolarWinds Worldwide LLC, an Austin, Texas-based information-technology company, develops and markets the Orion network-monitoring and management product — a widely-deployed enterprise platform for the centralised monitoring, configuration management, and operational visibility of network infrastructure. Orion is, by industry-survey estimate, deployed across more than thirty thousand organisations globally, including a substantial fraction of the United States Federal civil and defence agencies, of the major United States and partner-state private-sector enterprises, and of the public-sector institutions of partner states. The product holds privileged access to the network-infrastructure systems it monitors and is consequently a high-value target for adversary intelligence collection.¹

The intrusion against SolarWinds itself is assessed by subsequent investigation to have been initiated in approximately September 2019. The intruders established access to the SolarWinds software-development infrastructure, conducted reconnaissance of the build environment across the autumn and winter of 2019–2020, and from approximately February 2020 began the deliberate modification of the Orion source code in the build process to insert the SUNBURST malware variant — a backdoor implant that would be compiled into legitimate, code-signed Orion update packages and distributed to SolarWinds customers through the company's normal software-update channel.²

The Operation

The SUNBURST-trojanised Orion updates were distributed to SolarWinds customers in successive update cycles between March 2020 and June 2020. Approximately 18,000 SolarWinds customers downloaded and installed the trojanised updates. The SUNBURST implant, on installation, contained an extended dormancy period (approximately twelve to fourteen days) and a series of operational checks designed to evade detection — including verification that the host system was a normal customer environment rather than a security-research environment — before any attempt to communicate with the operators' command-and-control infrastructure. The implant subsequently communicated with operator infrastructure using domain-generation-algorithm-derived sub-domains under avsvmcloud.com, a domain that had been registered for the purpose and that has been the subject of subsequent forensic-attribution analysis.³

The SUNBURST backdoor in 18,000 customer environments did not in itself constitute the intrusion against the affected high-value targets. Rather, SUNBURST functioned as the access vehicle for a follow-on, manually directed intrusion campaign in which the operators identified, from the population of SUNBURST-implanted hosts, the targets of operational interest, and conducted further compromise of those targets using additional tools (including the implants subsequently designated TEARDROP and RAINDROP). Approximately one hundred high-value targets were active intrusion subjects in the post-SUNBURST campaign. The active-intrusion target set included nine United States Federal agencies — confirmed in subsequent United States Government statements as the Departments of the Treasury, Commerce, State, Homeland Security, Energy, and Justice, and including elements of the National Institutes of Health, the National Telecommunications and Information Administration, and other components — as well as substantial private-sector technology, defence, and consultancy firms, and the State or partner-state institutions of multiple foreign governments.⁴

The intrusion was first identified by the cyber-security firm FireEye, which discovered on or about 8 December 2020 that the firm itself had been the subject of an intrusion that had resulted in the exfiltration of FireEye's Mandiant red-team tooling. FireEye disclosed the intrusion against itself publicly on 8 December 2020 and, in the course of the subsequent forensic investigation, identified SUNBURST in its own SolarWinds Orion installation. FireEye disclosed SUNBURST publicly on 13 December 2020 in coordination with SolarWinds, with Microsoft (which had been operating in parallel detection and analysis), and with the United States Cybersecurity and Infrastructure Security Agency (CISA). CISA issued Emergency Directive 21-01 on the same date, requiring all Federal civil agencies to disconnect or power-down affected SolarWinds Orion installations.⁵

Disclosure

The United States Government conducted the formal attribution of the SolarWinds intrusion across an extended period and through multiple statements. A joint statement issued by the FBI, the Office of the Director of National Intelligence, the National Security Agency, and CISA on 5 January 2021 characterised the operation as "likely Russian in origin" and as having been conducted by an "Advanced Persistent Threat (APT) actor" — language that, in the public-record practice of US Government attribution statements of this character, indicates a high-confidence Russian state attribution without a specific service designation.⁶

The formal attribution to the Russian Federation's Foreign Intelligence Service (Sluzhba Vneshney Razvedki, SVR) was made on 15 April 2021 in a coordinated US Government action that combined a public attribution statement, the imposition of Treasury sanctions on six Russian-domiciled cyber-security and information-technology firms identified as having supported SVR cyber operations, and the expulsion of ten Russian diplomats from the United States. The attribution statement specifically named the SVR and referenced the threat designation APT29 (also known as Cozy Bear and The Dukes), which had been associated by Western Government and private-sector reporting with the SVR across the previous decade.⁷

The institutional review and Congressional response to SolarWinds proceeded across 2021 and 2022. The Cyber Safety Review Board (CSRB), established by the Biden administration in February 2022 under Executive Order 14028, conducted as its first review (released in July 2022) the parallel Log4j vulnerability response rather than SolarWinds; the SolarWinds case was the subject of separate inquiry by the Senate Select Committee on Intelligence, by the House Committee on Homeland Security, and by the Government Accountability Office. The combined institutional record characterises SolarWinds as the most consequential supply-chain compromise on the United States Government public record and as a foundational reference for the post-2020 reorientation of United States Federal supply-chain security policy.⁸

The Russian Federation has consistently denied responsibility for the SolarWinds intrusion. President Vladimir Putin and successive Russian Government statements have rejected the attribution; the SVR has not commented in detail. The April 2021 sanctions and expulsion package was met by Russian counter-sanctions and the expulsion of ten US diplomats from Moscow.⁹

Legacy

SolarWinds is the canonical reference case for the supply-chain compromise as a state-level intelligence-collection technique. The structure of the operation — the patient, multi-month compromise of a software vendor in order to gain trusted access into the vendor's customer base, with subsequent selective targeting of high-value subsets of the affected population — has been substantially replicated in subsequent cases (the December 2020 Mimecast compromise, the July 2021 Kaseya VSA exploitation, the December 2021 Log4j response, and others), in some cases by the same SVR-attributed actor and in others by parallel Russian, Chinese, and North Korean state-attributed operators.¹⁰

The institutional response to SolarWinds has been substantially structural. Executive Order 14028 of 12 May 2021 (Improving the Nation's Cybersecurity) established new requirements on Federal software-supply-chain security, on Federal incident-reporting, and on Federal zero-trust architecture adoption. The National Defense Authorization Act for Fiscal Year 2021, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, and successive appropriations have funded the further institutional response. The post-2020 statutory and policy framework on Federal cyber-security and supply-chain risk substantially reflects the lessons drawn from SolarWinds.¹¹

The strategic-counter-intelligence consequences of the post-SUNBURST exploitation activity remain partly classified. The exfiltration product from the affected Federal agencies has been characterised in public-record statements as "highly significant," but the specific exfiltrated content has not been published. Successive US Government statements have characterised the operation as having advanced Russian foreign-intelligence collection in ways that will persist beyond the immediate operational closure.¹²

Related dossiers and agencies

This dossier is the supply-chain analogue to the federal-government-personnel-data exfiltration documented in the 2015 OPM Data Breach and to the mass-exploitation campaign documented in HAFNIUM (Microsoft Exchange) (2021). It sits alongside the cyber-tools disclosure of Vault 7 (2017) in the cyber-operations literature, and connects to Stuxnet as the principal Western-state offensive-cyber operation on the public record. The agency-level entries most directly engaged are the Central Intelligence Agency and the National Security Agency; the country-level context is on the pages for the United States and Russia.

Sources & Further Reading

1. SolarWinds Worldwide LLC, public corporate filings; SolarWinds Orion product documentation; industry-survey reporting on Orion deployment, 2019–2020.
2. FireEye / Mandiant, "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor," 13 December 2020; SolarWinds Form 8-K filing of 14 December 2020 with the US Securities and Exchange Commission.
3. FireEye / Mandiant SUNBURST technical analysis; Microsoft Threat Intelligence Center analysis of Solorigate, December 2020; CrowdStrike analysis of SUNSPOT (the build-server-modification component), 11 January 2021.
4. United States Cybersecurity and Infrastructure Security Agency (CISA), Emergency Directive 21-01 of 13 December 2020 and successor advisories; Government of the United States, public statements identifying affected Federal departments, December 2020 – April 2021.
5. FireEye public disclosure of 8 December 2020; coordinated FireEye, SolarWinds, Microsoft, and CISA disclosures of 13 December 2020; CISA Emergency Directive 21-01.
6. Joint statement of the FBI, ODNI, NSA, and CISA, 5 January 2021, "Joint Statement by the Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA)."
7. White House statement, "Imposing Costs for Harmful Foreign Activities by the Russian Government," 15 April 2021; United States Department of the Treasury, designations of 15 April 2021; Executive Order 14024 of 15 April 2021.
8. Cyber Safety Review Board, Review of the December 2021 Log4j Event, July 2022; United States Senate Select Committee on Intelligence and House Committee on Homeland Security inquiry records; Government Accountability Office, SolarWinds Cyberattack: Federal Response Demonstrates Importance of Centralized Coordination, January 2022.
9. Russian Foreign Ministry statements on the SolarWinds attribution, April 2021 onward; Russian counter-sanctions and counter-expulsion announcements, April 2021.
10. David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (Crown, 2018), and successor reporting in The New York Times, December 2020 onward; Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Harvard University Press, 2020).
11. Executive Order 14028 of 12 May 2021, "Improving the Nation's Cybersecurity"; National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283; Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. 117-103.
12. Office of the Director of National Intelligence and CISA public statements on the post-attribution operational closure, April 2021 onward; congressional hearings on SolarWinds, 2021–2022.