SUNBURST
On December 13, 2020, The Washington Post reported that multiple government agencies were breached through SolarWinds's Orion software.[58] The next day, the company stated in an SEC filing that fewer than 18,000 of its 33,000 Orion customers were affected, involving certain hotfixes of versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.[3] According to Microsoft, hackers acquired superuser access to SAML token-signing certificates.[59] This SAML certificate was then used to forge new tokens to allow hackers trusted and highly privileged access to networks.[60] The Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21–01 in response to the incident, advising all federal civilian agencies to disable Orion.[61]
APT29, aka Cozy Bear, working for the Russian Foreign Intelligence Service (SVR), was reported to be behind the 2020 attack.[62][63] Victims of this attack include the cybersecurity firm FireEye, the US Treasury Department, the US Department of Commerce's National Telecommunications and Information Administration, as well as the US Department of Homeland Security.[64][65] Prominent international SolarWinds customers investigating whether they were impacted include the North Atlantic Treaty Organization (NATO), the European Parliament, UK Government Communications Headquarters, the UK Ministry of Defence, the UK National Health Service (NHS), the UK Home Office, and AstraZeneca.[66][67]
The attack used a backdoor in a SolarWinds library; when an update to SolarWinds occurred, the malicious attack would go unnoticed due to the trusted certificate.[72] In November 2019, a security researcher notified SolarWinds that credentials to a third party FTP server had a weak password of "solarwinds123", warning that "any hacker could upload malicious [code]" that would then be distributed to SolarWinds customers.[73][74] The New York Times reported SolarWinds did not employ a chief information security officer and that employee passwords had been posted on GitHub in 2019.[75]
On December 15, 2020, SolarWinds reported the breach to the Securities and Exchange Commission. However, SolarWinds continued to distribute malware-infected updates, and did not immediately revoke the compromised digital certificate used to sign them.[76][77][78]
On December 16, 2020, German IT news portal Heise.de reported that SolarWinds had for some time been encouraging customers to disable anti-malware tools before installing SolarWinds products.[79][80]
On December 17, 2020, SolarWinds said it would revoke the compromised certificates by December 21, 2020.[81]
On December 21, 2020, Attorney General William Barr stated that he believed that the SolarWinds hack appears to have been perpetrated by Russia, contradicting speculations by President Donald Trump that China, not Russia, might be to blame.[82]
In late December 2020, Trustwave, a cybersecurity firm, reached out to SolarWinds to report new security flaws they had discovered in software produced by SolarWinds. Although these vulnerabilities hadn't been taken advantage of by hackers, it raised questions concerning the network security of SolarWinds' customers.[83]
The magnitude of the monetary damage has yet to be calculated, but on January 14, 2021, CRN.com reported that the attack could cost cyber insurance firms at least $90 million.[84][85]
On March 1, 2021, SolarWinds CEO, Sudhakar Ramakrishna, blamed a company intern for using an insecure password ("solarwinds123") on its update server. Speculation that this led to the attack is discounted by the company and security professionals.[86][87] More than the intern using a weak password, experts noted that the main issue this fact highlights is the poor security culture the company has.[88]
In the aftermath of the incident there has been question raised within the US Government about the role Microsoft carried out in enabling the breach. This relates to the "golden SAML" vulnerability in Microsoft's directory offerings that the company had knowledge of but did not address. Senator Ron Wyden questioned why the US Government spent so much money on Microsoft software without the company warning it of this hacking technique.[89]