SolarWinds Orion Security Breach: Cyberattack Timeline and Hacking Incident Details
The SolarWinds Orion security breach, a.k.a. SUNBURST, impacted numerous U.S. government agencies, business customers and consulting firms — triggering emergency U.S. national security meetings in The White House. Here’s a timeline of the SolarWinds SUNBURST hack, featuring ongoing updates from a range of security and media sources.
Among the important items to note:
- SolarWinds continues to update a SUNBURST / Orion Security Advisory here;
- A related SolarWinds SUNBURST FAQ about the incident is here;
- The company says SolarWinds MSP tools — widely deployed by managed IT services providers (MSPs) to support SMB customers — were not involved in the breach. But as a precaution, SolarWinds MSP revoked digital certificates for its MSP tools and required customers to digitally re-sign into its products; and
- SolarWinds MSP President John Pagliuca’s statement is here.
The SolarWinds Orion breach surfaces during a time of transition at the company. Indeed a planned CEO transition from Kevin Thompson to Sudhakar Ramakrishna occurred on January 4, 2021. Also, the company is striving to spin out its SolarWinds MSP business as a standalone, publicly traded company, in 2021. SolarWinds MSP will be renamed N-able as part of the expected spin-out.
Note: Originally published December 17, 2020. Updated regularly thereafter.
SolarWinds Orion Hack: SUNBURST Security Incident Timeline
The timeline below connects the dots between the original SolarWinds Orion hack; how FireEye discovered the hacker activity; SolarWinds’ response since learning of the attack; and the U.S. federal government’s statements about the attack. Read from the bottom up for chronological updates.
Thursday, January 14, 2021:
- Labor Department Data Is Safe: The Labor Department’s statistical arm—which prepares the jobs report and other market-sensitive information about the U.S. economy—was breached in the SolarWinds hack, but data wasn’t lost or corrupted, Labor Secretary Eugene Scalia said. Source: The Wall Street Journal, January 14, 2021.
Monday, January 11, 2021:
Kaspersky said the SolarWinds Orion hack closely resembled malware tied to a hacking group known as Turla, which Estonian authorities have said operates on behalf of Russia’s FSB security service. Source: Reuters, January 11, 2021.
- Adjusted Attack Timeline: SolarWinds CEO disclosed an updated attack timeline, indicating that hackers had first accessed SolarWinds on September 4, 2019. Source: SolarWinds blog, January 11, 2021.
Friday, January 8, 2021:
- New SolarWinds CEO Sudhakar Ramakrishna disclosed three cybersecurity priorities following SolarWinds Orion hack. Source: ChannelE2E, January 8, 2021.
- SolarWinds hired former CISA & Facebook security leaders Chris Krebs & Alex Stamos, respectively, as consultants. Source: MSSP Alert, January 8, 2021.
Wednesday, January 6, 2021:
- Russia may have hacked the JetBrains TeamCity DevOps tool as part of the alleged plot earlier this year to plant malware in SolarWinds Orion, The New York Times reported.
- CISA has released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise. Source: CISA.
- Former SolarWinds CEO Kevin Thompson has agreed to consult for the company through June 1, 2021. The agreement essentially ensures that Thompson will assist with the Orion breach investigation and other matters. Source: SolarWinds SEC filing, January 6, 2021.
Tuesday, January 5, 2021:
- Russia Allegedly Behind Attacks: A group of U.S. intelligence agencies on Tuesday formally accused Russia of being linked to the recently discovered hack of IT group SolarWinds that compromised much of the federal government, The Hill reports. The FBI, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) attributed the effort to Russia. Source: The Hill, January 5, 2021.
- Endpoint Protection: SentinelOne released a free SUNBURST identification tool to help enterprises determine attack readiness. The open-source assessment tool allows users to identify if the SUNBURST malware variant at the heart of the SolarWinds attack campaign would have infected their devices, SentinelOne says.
Thursday, December 31, 2020:
- Microsoft says Russian hackers viewed some of the software company’s source code, but the hackers were unable to modify the code or get into Microsoft’s products and services. Source: The New York Times, December 31, 2020.
Wednesday, December 30, 2020:
- Updated CISA Guidance: The CISA updated its guidance on the SolarWinds Orion vulnerability. Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. Source: CISA, December 30, 2020.
Thursday, December 24, 2020:
- Latest SolarWinds Statement & Patches: SolarWinds summarized its latest patches and fixes for the Orion Supernova attack.
Wednesday, December 23, 2020:
- Crowdstrike earlier this year was targeted as part of the attack, but hackers did not gain entry into Crowdstrike’s systems. Source: Crowdstrike, December 23, 2020.
Tuesday, December 22, 2020:
- U.S. Treasury Department Emails Compromised: Dozens of email accounts at the Treasury Department were compromised with hackers breaking into systems used by the department’s highest-ranking officials. Source: Associated Press, December 22, 2020.
Monday, December 21, 2020:
- Statement – U.S. Treasury Department: The hack impacted the Treasury Department’s unclassified systems but the department has not seen any damage, Treasury Secretary Steven Mnuchin said in a CNBC interview on Monday. Source: Reuters, December 21, 2020.
- Who Got Infected: Organizations such as Cisco Systems, Intel, Nvidia, Deloitte, VMware and Belkin had installed the infected SolarWinds Orion software, though it’s unclear if the hackers actually took additional steps once the infected software found its way into those organizations. Source: The Wall Street Journal, December 21, 2020.
Saturday, December 19, 2020:
- Trump Administration: U.S. Secretary of State Mike Pompeo blamed Russia for the SolarWinds Orion Sunburst hack that compromised numerous federal agencies and U.S. corporations, while President Trump said he was skeptical of a growing consensus in Washington about the country’s role. Source: The Wall Street Journal, December 19, 2020.
- Who Got Hacked: Roughly 198 organizations, overall, were hacked using the SolarWind backdoor, according to Allan Liska, a threat analyst at Recorded Future. Source: Bloomberg, December 19, 2020.
Thursday, December 17, 2020:
- US CERT alert issued. Source: SolarWinds Blog, January 11, 2021.
- IT Service Providers Targeted: Microsoft has discovered more than 40 of its customers were targeted. Roughly 44 percent of those customers were IT service providers, software or technology companies. Microsoft described the need for a “strong and global cybersecurity response.” Sources: Microsoft President Brad Smith, December 16, 2017.
- Five IT solutions providers and consulting firms — Deloitte, Digital Sense, ITPS, Netdecisions an Stratus Networks — were breached earlier this year via the SolarWinds Orion vulnerability. Source: Trusec, December 17, 2020.
- U.S. Nuclear Agency Targeted: Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile. Source: Politico, December 17, 2020.
- Microsoft Investigation: “We can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.” Source: Microsoft Spokesman Frank Shaw via Twitter, December 17, 2020.
- White House Meetings: The White House is meeting daily to discuss the SolarWinds Orion breach, attack victims, potential fallout, and a potential response. Source: Bloomberg Radio.
- SolarWinds Statement About Stock Sales, CEO Transition: The Washington post raised questions about private equity companies Thoma Bravo and Silver Lake Partners selling some SolarWinds shares ahead of the breach disclosure. However, SolarWinds said: “In order to be as clear as possible, we want to highlight that the exploration by SolarWinds of the potential spinoff of its MSP business and the departure of our CEO, were announced in August 2020. Finally, all sales of stock by executive officers in November were made under pre-established Rule 10b5-1 selling plans and not discretionary sales. Source: SolarWinds SEC fining, December 17, 2020; The Washington Post, December 15, 2020.
- United States Cybersecurity Policy: President-elect Joe Biden vowed to elevate cybersecurity as an “imperative” when he takes office and said he would not “stand idly by” in the face of cyberattacks following a massive breach that impacted the U.S. government. President Trump has not publicly commented about the attack. Source: The Hill, December 17, 2020.
Wednesday, December 16, 2020:
- SolarWinds MSP Update: On the one hand, SolarWinds MSP’s software was not part of the attack. But on the other hand, the SolarWinds MSP group is taking extra steps to mitigate risk at this time. Specifically, SolarWinds MSP on December 16 told its partners that it will revoke digital certificates for its MSP tools and require customers to digitally re-sign into its products. SolarWinds will begin issuing the new certificates on December 18 and will revoke all of its old certificates by December 21. Source: CRN, December 17, 2020.
- Attack Kill Switch: A key malicious domain name used in the attack has been commandeered by security experts and used as a “killswitch.” Source: KrebsOnSecurity
- New York Times Editorial: “The magnitude of this national security breach is hard to overstate,” according to Thomas P. Bossert, former homeland security adviser to President Trump. Source: The New York Times.
- FBI Investigation: As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. Source: CISA, December 16, 2020.
- Private Equity Statement About Stock Sales: The Washington post raised questions about private equity companies Thoma Bravo and Silver Lake Partners selling some SolarWinds shares ahead of the breach disclosure. However: “Thoma Bravo and Silver Lake were not aware of this potential cyberattack at SolarWinds prior to entering into a private placement to a single institutional investor on 12/7.” Sources: CNBC, December 16, 2020; The Washington Post, December 15, 2020.
Tuesday, December 15, 2020:
- SolarWinds releases software fix. Source: SolarWinds Blog, January 11, 2021.
- Attack Victims: The victims include the U.S. Commerce and Treasury Departments; the Department of Homeland Security (DHS), the National Institutes of Health and the State Department. Source: The Wall Street Journal.
- Investigation Request: A bipartisan group of six senators want the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to submit a report to Congress about the impact of the SolarWinds cyber attack on agencies. The lawmakers want answers to six questions including how many agencies were impacted, how the FBI and CISA worked together to address the attack, and if agencies failed to implement FISMA or other cyber laws. The senators also want an additional briefing on the topics. Source: Federal News Network.
Monday, December 14, 2020:
- SolarWinds SEC Filing: The software company discloses the breach in an SEC filing. Source: SolarWinds and the SEC.
- SolarWinds Stock Falls: Shares in $SWI fall about $20 on the breach news.
Sunday, December 13, 2020:
- CISA Emergency Directive: The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, issues emergency directive 21-01, ordering federal agencies to power down SolarWinds Orion because of a substantial security threat. Source: MSSP Alert.
- SolarWinds Security Advisory: SolarWinds issues a Security Advisory outlining the Orion platform hack and associated defensive measures. Source: MSSP Alert.
- FireEye Disclosure: FireEye says an attacker has leveraged the SolarWinds supply chain to compromise multiple global victims. Source: FireEye.
- Microsoft Guidance: Microsoft offered this guidance regarding the attacks.
- Media Coverage: The initial report hinting at the SolarWinds Orion hack surfaces from Reuters. Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg. Source: Reuters.
Saturday, December 12, 2020:
- FireEye Alerts SolarWinds CEO: A FireEye executive advised SolarWinds CEO Kevin Thompson that Orion contained a vulnerability as the result of a cyberattack. Source: SolarWinds SEC filing, December 17, 2020.
- Emergency NSC White House Meeting: The National Security Council holds a meeting at the White House on Saturday to discuss a breach of multiple government agencies and businesses. The The NSC is the U.S. President’s principal forum for considering national security and foreign policy matters with his senior national security advisors and cabinet officials. Source: Reuters, December 13, 2020.
Friday, December 11, 2020:
- FireEye Discovers SolarWinds Was Attacked: During a FireEye breach investigation, FireEye discovers that SolarWinds Orion updates had been corrupted and weaponized by hackers. Source: Multiple reports.
Wednesday, December 9, 2020: Note — the CEO transition plan and stock transactions mentioned below were announced a few days before SolarWinds apparently knew about the breach.
- SolarWinds CEO Transition: The company discloses Sudhakar Ramakrishna will succeed Kevin Thompson as SolarWinds president and CEO, effective January 4, 2021. The CEO announcement is made before FireEye apparently alerts SolarWinds about the breach two days later on December 11. Source: ChannelE2E.
- SolarWinds Stock Transactions: On the financial front, Canada Pension Plan Investment Board (CPP Investments) has made a $315 million secondary investment in SolarWinds. The deal involves CPP buying an existing stake from private equity firms Silver Lake and Thoma Bravo, and their respective co-investors. The transaction disclosure is made before FireEye apparently alerts SolarWinds about the breach two days later on December 11. Source: ChannelE2E.
Tuesday, December 8, 2020:
- FireEye Suffers Attack: FireEye discloses that state-sponsored hackers broke into FireEye’s network and stole the company’s Red Team penetration testing tools. Source: MSSP Alert.
June 4, 2020:
- Threat actor removes malware from build VMs.
- Source: SolarWinds Blog, January 11, 2021.
March 26 2020:
- Hotfix 5 DLL available to customers. Source: SolarWinds Blog, January 11, 2021.
February 20, 2020
- SUNBURST attack was compiled and deployed. Source: SolarWinds Blog, January 11, 2021.
September 12, 2019 through November 4, 2019: The threat actor injected test code and performed a trial run. Source: SolarWinds Blog, January 11, 2021.
September 4, 2019: A threat actor accessed SolarWinds. Source: SolarWinds blog, January 11, 2021.