SolarWinds Orion Security Breach: Cyberattack Timeline and Hacking Incident Details
The SolarWinds Orion security breach, a.k.a. SUNBURST, impacted numerous U.S. government agencies, business customers and consulting firms. Here’s a timeline of the SolarWinds SUNBURST hack, featuring ongoing updates from a range of security and media sources.
Among the important items to note:
- SolarWinds offers a SUNBURST / Orion Security Advisory here;
- A related SolarWinds SUNBURST FAQ about the incident is here;
- The company says SolarWinds MSP tools were not involved in the incident; and
- SolarWinds MSP’s statement is here.
The SolarWinds Orion breach surfaced during a time of transition at the company. Indeed a planned CEO transition from Kevin Thompson to Sudhakar Ramakrishna occurred on January 4, 2021. Also, the company is striving to spin out its SolarWinds MSP business as a standalone, publicly traded company, in 2021. SolarWinds MSP will be renamed N-able as part of the expected spin-out.
Note: Originally published December 17, 2020. Updated regularly thereafter.
SolarWinds Orion Hack: SUNBURST Security Incident Timeline
The timeline below connects the dots between the original SolarWinds Orion hack; how FireEye discovered the hacker activity; SolarWinds’ response since learning of the attack; and the U.S. federal government’s statements about the attack. Read from the bottom up for chronological updates.
Monday, March 29, 2021:
Russia Allegedly Hacked U.S. Homeland Security Leader: Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The accounts were allegedly accessed as part of the SolarWinds Orion hack. Source: Associated Press, March 29, 2021.
Wednesday, March 17, 2021:
- Updated CISA Guidance: The CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. Source: CISA, March 17, 2021.
Tuesday, March 9, 2021:
- Guidance Recap: The CISA issued specific guidance on remediating networks affected by the SolarWinds and Active Directory/Microsoft 365 compromise. See this web page and this guide for details. Source: CISA, March 9, 2021.
Thursday, March 4, 2021:
- More Malware: Blogs from Microsoft and FireEye describe more malware that may be tied to the SolarWinds Orion hack. Sources: Microsoft, FireEye, March 4, 2021.
Friday, February 26, 2021:
- More SolarWinds Breach Hearings: Cybersecurity executives are due to face their second round of Congressional questions today over their companies’ roles in the sprawling series of digital intrusions blamed on the Russian government. SolarWinds CEO Sudhakar Ramakrishna, Microsoft President Brad Smith, and FireEye CEO Kevin Mandia are due to address a joint hearing of the House Committees on Oversight and Reform and Homeland Security. Source: Reuters, February 26, 2021.
Thursday, February 25, 2021:
- SolarWinds Earnings, N-able Spin Out: SolarWinds today announced its first quarterly results since disclosing the Orion security incident in December 2020. Also, the N-able (formerly SolarWinds MSP) spin-out is on track for Q2, 2021. Sources: ChannelE2E and MSSP Alert.
Tuesday, February 23, 2021:
- U.S. to Sanction Russia: The Biden administration is preparing sanctions and other measures to punish Moscow for actions that go beyond the sprawling SolarWinds cyberespionage campaign to include a range of malign cyberactivity and the near-fatal poisoning of a Russian opposition leader, said U.S. officials familiar with the matter. Source: The Washington Post, February 23, 2021.
- Senate Hearing: The Senate Intelligence Committee today held a hearing about the SolarWinds breach. SolarWinds, Microsoft, FireEye and CrowdStrike executives testified. Among the hot items of discussion: CrowdStrike alleged that Microsoft Active Directory and Azure Active Directory have antiquated authentication architectures that provide a key threat vector for hackers to hit. Also, testimony from multiple sources pointed to Russia as the alleged source of the attacks. Source: Reuters and the Associated Press, February 23, 2021.
Monday, February 22, 2021:
- House Hearing: The U.S. House of Representatives’ Oversight and Homeland Security Committees will hold a joint hearing on Friday on cybersecurity incidents including the attack targeting SolarWinds Orion Software, it said in a statement. Source: Reuters, February 22, 2021.
Friday, February 19, 2021:
- White House Pursues Hackers, Seeks Justice: The U.S. will be taking a series of steps to respond to the devastating SolarWinds cyber hack and hold accountable those responsible in “short order,” national security adviser Jake Sullivan told CNN’s Christiane Amanpour. Source: CNN, February 19, 2021.
Thursday, February 18, 2o21:
- Upcoming Senate Hearing: The Senate Intelligence Committee on February 23 will hold a hearing about the SolarWinds breach. CEO Sudhakar Ramakrishna is expected to testify. Other witnesses will include Microsoft President Brad Smith, FireEye CEO Kevin Mandia and CrowdStrike President and CEO George Kurtz. Source: The Hill, February 18, 2021.
- Microsoft Update: Hackers studied small portions of Microsoft’s source code — including Azure components (subsets of service, security, identity), Intune and Exchange, the software giant revealed. Source: Microsoft, February 18, 2021.
Wednesday, February 17, 2021:
- White House Update: Deputy National Security Advisor Anne Neuberger says the federal review into the SolarWinds hack is in the early stages and will likely take several months to complete. Neuberger said the attack, which compromised “nine federal agencies and about 100 private companies,” was launched from inside the United States. Source: Seeking Alpha, February 17, 2021.
Wednesday, February 10, 2021:
- SolarWinds MSP Updates Partners: In a virtual meeting with partners, SolarWinds MSP leaders explained how the parent company investigated and mitigated the Orion attack, and reinforced that SolarWinds MSP’s own software was not targeted or compromised in the attack. We’ll share more details from the virtual meeting soon. Source: ChannelE2E
- White House Probes Orion Attack: Anne Neuberger, the deputy national security adviser for cyber and emergency technology, has been in charge of remediating the hack, identifying issues with the federal government’s response and launching a study aimed at preventing similar incidents, the White House said. Source: San Francisco Chronicle, February 10, 2021.
Monday, February 8, 2021:
- CISA Informational Update: The CISA issued this updated analysis of the SolarWinds Sunburst compromise. Source: CISA, February 8, 2021.
Thursday, February 4, 2021:
- Microsoft Was Not Initial Entry Point: Contrary to some industry speculation, Microsoft say sit was not the initial entry point for the Solarigate actor. Source: Microsoft blog, February 4, 2021.
Tuesday, February 2, 2021:
- Did Hackers Use Microsoft Office 365 to Breach SolarWinds?: The hackers accessed at least one of SolarWinds’ Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, CEO Sudhakar Ramakrishna said. “Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised,” he said. One possibility is that the hackers may have compromised the company’s Office 365 accounts even earlier and then used that as the initial point of entry into the company, although that is one of several theories being pursued, Mr. Ramakrishna said. Source: The Wall Street Journal, February 2, 2021.
- Second Hacker Group – China?: At first glance, the SolarWinds vulnerability apparently involved Russian hackers. But a new report says suspected Chinese hackers also leveraged the vulnerability to break into U.S. government computers. Source: Reuters, February, 2, 2021.
Friday, January 29, 2021:
- SolarWinds Was Only One Piece of the Puzzle: Approximately 30% of both the private-sector and government victims linked to the campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said. The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Wales. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.” Source: The Wall Street Journal, January 29, 2021.
Tuesday, January 26, 2021:
- Sunburst Industrial Victims: Kaspersky has pinpointed how many industrial organizations fell victim to the SolarWinds Sunburst attack. The analysis is outlined here. Source: Kaspersky, January 26, 2021.
Friday, January 22, 2021:
- U.S. Cybersecurity: President Joe Biden is hiring a group of national security veterans with deep cyber expertise, drawing praise from former defense officials and investigators as the U.S. government works to recover from the SolarWinds Orion-related hacks of its agencies attributed to Russian spies. Source: Reuters, January 22, 2021.
Monday, January 18, 2021:
- Symantec Discovers Raindrop: Symantec, a division of Broadcom, has uncovered an additional piece of malware used in the SolarWinds attacks which was used against a select number of victims that were of interest to the attackers. Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Source: Symantec, January 18, 2021.
Wednesday, January 20, 2021:
- Microsoft Investigation Update: Microsoft has published a blog that offers a closer look at Solarigate, Sunburst, Teardrop and Raindrop. Source: Microsoft, January 20, 2021.
Thursday, January 14, 2021:
- Labor Department Data Is Safe: The Labor Department’s statistical arm—which prepares the jobs report and other market-sensitive information about the U.S. economy—was breached in the SolarWinds hack, but data wasn’t lost or corrupted, Labor Secretary Eugene Scalia said. Source: The Wall Street Journal, January 14, 2021.
Monday, January 11, 2021:
Kaspersky said the SolarWinds Orion hack closely resembled malware tied to a hacking group known as Turla, which Estonian authorities have said operates on behalf of Russia’s FSB security service. Source: Reuters, January 11, 2021.
- Adjusted Attack Timeline: SolarWinds CEO disclosed an updated attack timeline, indicating that hackers had first accessed SolarWinds on September 4, 2019. Source: SolarWinds blog, January 11, 2021.
Friday, January 8, 2021:
- New SolarWinds CEO Sudhakar Ramakrishna disclosed three cybersecurity priorities following SolarWinds Orion hack. Source: ChannelE2E, January 8, 2021.
- SolarWinds hired former CISA & Facebook security leaders Chris Krebs & Alex Stamos, respectively, as consultants. Source: MSSP Alert, January 8, 2021.
Wednesday, January 6, 2021:
- Russia may have hacked the JetBrains TeamCity DevOps tool as part of the alleged plot earlier this year to plant malware in SolarWinds Orion, The New York Times reported.
- CISA has released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise. Source: CISA.
- Former SolarWinds CEO Kevin Thompson has agreed to consult for the company through June 1, 2021. The agreement essentially ensures that Thompson will assist with the Orion breach investigation and other matters. Source: SolarWinds SEC filing, January 6, 2021.
Tuesday, January 5, 2021:
- Russia Allegedly Behind Attacks: A group of U.S. intelligence agencies on Tuesday formally accused Russia of being linked to the recently discovered hack of IT group SolarWinds that compromised much of the federal government, The Hill reports. The FBI, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) attributed the effort to Russia. Source: The Hill, January 5, 2021.
- Endpoint Protection: SentinelOne released a free SUNBURST identification tool to help enterprises determine attack readiness. The open-source assessment tool allows users to identify if the SUNBURST malware variant at the heart of the SolarWinds attack campaign would have infected their devices, SentinelOne says.
Thursday, December 31, 2020:
- Microsoft says Russian hackers viewed some of the software company’s source code, but the hackers were unable to modify the code or get into Microsoft’s products and services. Source: The New York Times, December 31, 2020.
Wednesday, December 30, 2020:
- Updated CISA Guidance: The CISA updated its guidance on the SolarWinds Orion vulnerability. Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. Source: CISA, December 30, 2020.
Thursday, December 24, 2020:
- Latest SolarWinds Statement & Patches: SolarWinds summarized its latest patches and fixes for the Orion Supernova attack.
Wednesday, December 23, 2020:
- Crowdstrike earlier this year was targeted as part of the attack, but hackers did not gain entry into Crowdstrike’s systems. Source: Crowdstrike, December 23, 2020.
Tuesday, December 22, 2020:
- U.S. Treasury Department Emails Compromised: Dozens of email accounts at the Treasury Department were compromised with hackers breaking into systems used by the department’s highest-ranking officials. Source: Associated Press, December 22, 2020.
Monday, December 21, 2020:
- Statement – U.S. Treasury Department: The hack impacted the Treasury Department’s unclassified systems but the department has not seen any damage, Treasury Secretary Steven Mnuchin said in a CNBC interview on Monday. Source: Reuters, December 21, 2020.
- Who Got Infected: Organizations such as Cisco Systems, Intel, Nvidia, Deloitte, VMware and Belkin had installed the infected SolarWinds Orion software, though it’s unclear if the hackers actually took additional steps once the infected software found its way into those organizations. Source: The Wall Street Journal, December 21, 2020.
Saturday, December 19, 2020:
- Trump Administration: U.S. Secretary of State Mike Pompeo blamed Russia for the SolarWinds Orion Sunburst hack that compromised numerous federal agencies and U.S. corporations, while President Trump said he was skeptical of a growing consensus in Washington about the country’s role. Source: The Wall Street Journal, December 19, 2020.
- Who Got Hacked: Roughly 198 organizations, overall, were hacked using the SolarWind backdoor, according to Allan Liska, a threat analyst at Recorded Future. Source: Bloomberg, December 19, 2020.
Thursday, December 17, 2020:
- US CERT alert issued. Source: SolarWinds Blog, January 11, 2021.
- IT Service Providers Targeted: Microsoft has discovered more than 40 of its customers were targeted. Roughly 44 percent of those customers were IT service providers, software or technology companies. Microsoft described the need for a “strong and global cybersecurity response.” Sources: Microsoft President Brad Smith, December 16, 2017.
- Five IT solutions providers and consulting firms — Deloitte, Digital Sense, ITPS, Netdecisions an Stratus Networks — were breached earlier this year via the SolarWinds Orion vulnerability. Source: Trusec, December 17, 2020.
- U.S. Nuclear Agency Targeted: Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile. Source: Politico, December 17, 2020.
- Microsoft Investigation: “We can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.” Source: Microsoft Spokesman Frank Shaw via Twitter, December 17, 2020.
- White House Meetings: The White House is meeting daily to discuss the SolarWinds Orion breach, attack victims, potential fallout, and a potential response. Source: Bloomberg Radio.
- SolarWinds Statement About Stock Sales, CEO Transition: The Washington post raised questions about private equity companies Thoma Bravo and Silver Lake Partners selling some SolarWinds shares ahead of the breach disclosure. However, SolarWinds said: “In order to be as clear as possible, we want to highlight that the exploration by SolarWinds of the potential spinoff of its MSP business and the departure of our CEO, were announced in August 2020. Finally, all sales of stock by executive officers in November were made under pre-established Rule 10b5-1 selling plans and not discretionary sales. Source: SolarWinds SEC fining, December 17, 2020; The Washington Post, December 15, 2020.
- United States Cybersecurity Policy: President-elect Joe Biden vowed to elevate cybersecurity as an “imperative” when he takes office and said he would not “stand idly by” in the face of cyberattacks following a massive breach that impacted the U.S. government. President Trump has not publicly commented about the attack. Source: The Hill, December 17, 2020.
Wednesday, December 16, 2020:
- SolarWinds MSP Update: On the one hand, SolarWinds MSP’s software was not part of the attack. But on the other hand, the SolarWinds MSP group is taking extra steps to mitigate risk at this time. Specifically, SolarWinds MSP on December 16 told its partners that it will revoke digital certificates for its MSP tools and require customers to digitally re-sign into its products. SolarWinds will begin issuing the new certificates on December 18 and will revoke all of its old certificates by December 21. Source: CRN, December 17, 2020.
- Attack Kill Switch: A key malicious domain name used in the attack has been commandeered by security experts and used as a “killswitch.” Source: KrebsOnSecurity
- New York Times Editorial: “The magnitude of this national security breach is hard to overstate,” according to Thomas P. Bossert, former homeland security adviser to President Trump. Source: The New York Times.
- FBI Investigation: As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. Source: CISA, December 16, 2020.
- Private Equity Statement About Stock Sales: The Washington post raised questions about private equity companies Thoma Bravo and Silver Lake Partners selling some SolarWinds shares ahead of the breach disclosure. However: “Thoma Bravo and Silver Lake were not aware of this potential cyberattack at SolarWinds prior to entering into a private placement to a single institutional investor on 12/7.” Sources: CNBC, December 16, 2020; The Washington Post, December 15, 2020.
Tuesday, December 15, 2020:
- SolarWinds releases software fix. Source: SolarWinds Blog, January 11, 2021.
- Attack Victims: The victims include the U.S. Commerce and Treasury Departments; the Department of Homeland Security (DHS), the National Institutes of Health and the State Department. Source: The Wall Street Journal.
- Investigation Request: A bipartisan group of six senators want the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to submit a report to Congress about the impact of the SolarWinds cyber attack on agencies. The lawmakers want answers to six questions including how many agencies were impacted, how the FBI and CISA worked together to address the attack, and if agencies failed to implement FISMA or other cyber laws. The senators also want an additional briefing on the topics. Source: Federal News Network.
Monday, December 14, 2020:
- SolarWinds SEC Filing: The software company discloses the breach in an SEC filing. Source: SolarWinds and the SEC.
- SolarWinds Stock Falls: Shares in $SWI fall about $20 on the breach news.
Sunday, December 13, 2020:
- CISA Emergency Directive: The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, issues emergency directive 21-01, ordering federal agencies to power down SolarWinds Orion because of a substantial security threat. Source: MSSP Alert.
- SolarWinds Security Advisory: SolarWinds issues a Security Advisory outlining the Orion platform hack and associated defensive measures. Source: MSSP Alert.
- FireEye Disclosure: FireEye says an attacker has leveraged the SolarWinds supply chain to compromise multiple global victims. Source: FireEye.
- Microsoft Guidance: Microsoft offered this guidance regarding the attacks.
- Media Coverage: The initial report hinting at the SolarWinds Orion hack surfaces from Reuters. Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg. Source: Reuters.
Saturday, December 12, 2020:
- FireEye Alerts SolarWinds CEO: A FireEye executive advised SolarWinds CEO Kevin Thompson that Orion contained a vulnerability as the result of a cyberattack. Source: SolarWinds SEC filing, December 17, 2020.
- Emergency NSC White House Meeting: The National Security Council holds a meeting at the White House on Saturday to discuss a breach of multiple government agencies and businesses. The The NSC is the U.S. President’s principal forum for considering national security and foreign policy matters with his senior national security advisors and cabinet officials. Source: Reuters, December 13, 2020.
Friday, December 11, 2020:
- FireEye Discovers SolarWinds Was Attacked: During a FireEye breach investigation, FireEye discovers that SolarWinds Orion updates had been corrupted and weaponized by hackers. Source: Multiple reports.
Wednesday, December 9, 2020: Note — the CEO transition plan and stock transactions mentioned below were announced a few days before SolarWinds apparently knew about the breach.
- SolarWinds CEO Transition: The company discloses Sudhakar Ramakrishna will succeed Kevin Thompson as SolarWinds president and CEO, effective January 4, 2021. The CEO announcement is made before FireEye apparently alerts SolarWinds about the breach two days later on December 11. Source: ChannelE2E.
- SolarWinds Stock Transactions: On the financial front, Canada Pension Plan Investment Board (CPP Investments) has made a $315 million secondary investment in SolarWinds. The deal involves CPP buying an existing stake from private equity firms Silver Lake and Thoma Bravo, and their respective co-investors. The transaction disclosure is made before FireEye apparently alerts SolarWinds about the breach two days later on December 11. Source: ChannelE2E.
Tuesday, December 8, 2020:
- FireEye Suffers Attack: FireEye discloses that state-sponsored hackers broke into FireEye’s network and stole the company’s Red Team penetration testing tools. Source: MSSP Alert.
June 4, 2020:
- Threat actor removes malware from build VMs.
- Source: SolarWinds Blog, January 11, 2021.
March 26 2020:
- Hotfix 5 DLL available to customers. Source: SolarWinds Blog, January 11, 2021.
February 20, 2020
- SUNBURST attack was compiled and deployed. Source: SolarWinds Blog, January 11, 2021.
December 2019: The hackers accessed at least one of SolarWinds’ Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, CEO Sudhakar Ramakrishna said. “Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised,” he said. One possibility is that the hackers may have compromised the company’s Office 365 accounts even earlier and then used that as the initial point of entry into the company, although that is one of several theories being pursued, Mr. Ramakrishna said. Source: The Wall Street Journal, February 2, 2021.
September 12, 2019 through November 4, 2019: The threat actor injected test code and performed a trial run. Source: SolarWinds Blog, January 11, 2021.
September 4, 2019: A threat actor accessed SolarWinds. Source: SolarWinds blog, January 11, 2021.