SolarWinds is a prominent provider of IT management and monitoring solutions, with its flagship product, Orion, used by over 30,000 customers globally. Orion enables organizations to monitor and manage their networks, servers, and applications, making it a critical component in enterprise IT infrastructure. Due to its deep integration and privileged access, a compromise of SolarWinds' software posed a significant risk to the confidentiality, integrity, and availability of customer environments.

For more on SolarWinds’ market position, see Gartner’s NPMD Market Guide.

• September 2019: Threat actors gain initial access to SolarWinds’ environment.
• March–June 2020: Malicious code (Sunburst) is inserted into Orion software builds.
• March–June 2020: Compromised Orion updates are distributed to customers.
• December 8, 2020: FireEye detects a breach in its own systems.
• December 13, 2020: Public disclosure of the SolarWinds supply-chain attack.
• December 2020–2021: Ongoing investigation and remediation efforts.

For a detailed timeline, refer to CISA’s SolarWinds Advisory.

The attackers, believed to be a sophisticated nation-state group, first gained access to SolarWinds’ internal network as early as September 2019. The exact vector remains uncertain, but hypotheses include credential theft, exploitation of remote access, or supply-chain vulnerabilities. Once inside, the adversaries demonstrated patience and operational security, conducting extensive reconnaissance before moving to the next phase.

Between March and June 2020, the attackers surreptitiously injected the Sunburst malware into Orion software updates. By compromising the build environment, they ensured that the malicious code was digitally signed and appeared legitimate to customers. This sophisticated supply-chain attack leveraged the trust customers placed in SolarWinds’ software distribution process.

For technical details, see Mandiant’s Sunburst Analysis.

The compromised Orion updates were distributed via SolarWinds’ official update channels to approximately 18,000 customers. Upon installation, the Sunburst malware established a covert foothold, enabling attackers to select and further exploit high-value targets. This phase exemplifies the devastating potential of supply-chain attacks, where a single compromise can cascade across thousands of organizations.

The breach was first detected by FireEye (now part of Mandiant) in December 2020, when the company noticed suspicious activity in its internal network. FireEye’s investigation revealed the presence of Sunburst malware, leading to the discovery that the compromise originated from a SolarWinds Orion update. FireEye’s rapid response and transparency were instrumental in uncovering the broader scope of the attack.

Read FireEye’s disclosure: FireEye Cyber Attack Disclosure.

On December 13, 2020, SolarWinds and FireEye publicly announced the supply-chain compromise. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, urging all federal agencies to disconnect affected Orion products. The coordinated disclosure triggered a global incident response effort, with organizations racing to assess and mitigate their exposure.

See CISA’s directive: CISA Emergency Directive 21-01.

The SolarWinds hack affected a wide range of organizations, including:

• U.S. federal agencies (e.g., Treasury, Commerce, Homeland Security)
• Major technology firms (e.g., Microsoft, Cisco)
• Critical infrastructure providers
• Private sector enterprises worldwide

Approximately 18,000 customers received the compromised update, but targeted follow-on activity was observed in a smaller subset of high-value victims.

For a list of affected entities, see Reuters’ coverage.

The attackers gained access to a variety of sensitive data, including:

• Email communications
• Intellectual property
• Confidential documents
• Network configurations and credentials

The full extent of data exfiltration remains classified for many government entities, but the breach exposed critical information assets across sectors.

The Sunburst supply-chain attack had far-reaching consequences:

• Undermined trust in software supply chains
• Prompted global reviews of third-party risk management
• Led to increased scrutiny of software development and update processes
• Accelerated adoption of zero-trust security models

The incident highlighted the interconnectedness of digital ecosystems and the systemic risk posed by supply-chain vulnerabilities.

For global impact analysis, refer to ENISA’s report.

Forensic analysis by leading cybersecurity firms, including CrowdStrike and Unit 42, identified sophisticated tactics, techniques, and procedures (TTPs) consistent with advanced persistent threat (APT) actors. The attackers used custom malware, obfuscated code, and stealthy lateral movement to evade detection for months.

Multiple U.S. government agencies and cybersecurity experts attributed the SolarWinds hack to a Russian state-sponsored group, commonly referred to as APT29 or Cozy Bear. The attribution is based on technical indicators, infrastructure overlaps, and operational patterns observed in previous campaigns. However, definitive attribution in cyberspace remains challenging due to the potential for false flags and overlapping TTPs.

See the official U.S. government statement: CISA-FBI-ODNI Joint Statement.

The Sunburst malware is a sophisticated backdoor that enabled attackers to:

• Establish persistent access to victim networks
• Harvest credentials and escalate privileges
• Move laterally across environments
• Exfiltrate sensitive data

Sunburst was designed to blend in with legitimate Orion processes, making detection challenging.

For a detailed breakdown, see MITRE ATT&CK: SUNBURST.

Sunburst employed multiple evasion techniques, including:

• Delaying execution for up to two weeks after installation
• Checking for forensic and security tools before activating
• Using legitimate domain names and encrypted communications
• Employing domain generation algorithms (DGAs) for command and control

These techniques allowed the malware to remain undetected in victim environments for extended periods.

See SANS Institute’s malware analysis.

Sunburst communicated with attacker-controlled servers using HTTP-based protocols, masquerading as legitimate Orion traffic. The command and control (C2) infrastructure was distributed across multiple domains, often leveraging cloud hosting providers to further obfuscate activity. The attackers could selectively activate the backdoor, minimizing noise and reducing the likelihood of detection.

For C2 infrastructure details, see CrowdStrike’s technical report.

The SolarWinds hack underscored the critical risks associated with software supply chains. Organizations must recognize that trusted vendors can become attack vectors, and that supply-chain security is as important as internal defenses. Key lessons include:

• Continuous monitoring of third-party software
• Rigorous vendor risk assessments
• Verification of software integrity and authenticity

For guidance on supply-chain risk management, consult NIST SP 800-161.

The breach highlighted the need for enhanced detection and response capabilities, including:

• Behavioral analytics and anomaly detection
• Threat intelligence integration
• Rapid incident response and containment procedures
• Regular security audits and red teaming

Organizations must assume that breaches are inevitable and invest in capabilities to detect and respond to advanced threats. For organizations seeking to bolster their detection and response, leveraging Professional Password Audit, Testing & Recovery services can help identify compromised credentials before attackers exploit them.

See CIS Community Defense Model for best practices.

To mitigate supply-chain risks and enhance resilience, organizations should:

• Implement zero-trust architectures
• Enforce least privilege and network segmentation
• Regularly update and patch all software
• Monitor for indicators of compromise (IOCs) from trusted sources
• Engage in threat intelligence sharing with industry peers

Understanding how to extract hashes (eg: NTLM, Kerberos) from Windows systems is crucial for organizations looking to proactively detect credential theft and lateral movement within their environments. For a comprehensive checklist, refer to CISA’s SolarWinds Remediation Guidance.

The SolarWinds hack prompted significant changes in cybersecurity policy and industry standards:

• The U.S. government issued Executive Order 14028 to strengthen federal cybersecurity
• Increased adoption of SBOMs (Software Bill of Materials) for software transparency
• Enhanced requirements for secure software development lifecycles (SDLC)
• Greater emphasis on supply-chain risk management in frameworks such as ISO/IEC 27001 and NIST Cybersecurity Framework

These changes aim to reduce systemic risk and improve the overall security posture of organizations worldwide. To further understand the evolving threat landscape and how organizations are adapting, explore the Cybersecurity Trends 2025: 5 Threats to Watch.

For industry perspectives, see ISACA’s analysis.

The SolarWinds Hack 2020 and the Sunburst supply-chain attack represent a watershed moment in cybersecurity history. By exploiting trusted software updates, attackers demonstrated the vulnerability of interconnected digital ecosystems. The breach catalyzed a global reassessment of supply-chain security, detection capabilities, and policy frameworks. As organizations adapt to the evolving threat landscape, the lessons of SolarWinds will continue to shape cybersecurity strategies for years to come. For a forward-looking perspective on password attacks and defenses, review the Password Cracking Guide 2025: 5 Latest Techniques.

• FireEye: Cyber Attack Disclosure
• CISA: SolarWinds Advisory
• Mandiant: Sunburst Backdoor Analysis
• CrowdStrike: Sunburst Technical Analysis
• Unit 42: SolarStorm Analysis
• MITRE ATT&CK: SUNBURST
• SANS Institute: Sunburst Malware Analysis
• NIST SP 800-161: Supply Chain Risk Management
• CIS Community Defense Model
• ENISA: SolarWinds Supply-Chain Attack
• White House: Executive Order on Cybersecurity
• ISO/IEC 27001: Information Security
• NIST Cybersecurity Framework
• ISACA: SolarWinds Attack Lessons
• Reuters: SolarWinds Affected Companies