SolarWinds Orion Security Breach: Cyberattack Timeline and Hacking Incident Details

The SolarWinds Orion security breach, a.k.a. SUNBURST, impacted numerous U.S. government agencies, business customers and consulting firms. Here’s a timeline of the SolarWinds SUNBURST hack, featuring ongoing updates from a range of security and media sources.

Among the important items to note:

The SolarWinds Orion breach surfaced during a time of transition at the company. Indeed a planned CEO transition from Kevin Thompson to Sudhakar Ramakrishna occurred on January 4, 2021. Also, the company spun off its SolarWinds MSP (now N-able) business as a standalone, publicly traded company, in July 2021.

Note: Originally published December 17, 2020. Updated regularly thereafter.



SolarWinds Orion Hack: SUNBURST Security Incident Timeline

The timeline below connects the dots between the original SolarWinds Orion hack; how FireEye discovered the hacker activity; SolarWinds’ response since learning of the attack; and the U.S. federal government’s statements about the attack. Read from the bottom up for chronological updates.


Thursday, September 7, 2021:

  • Spying Allegations: The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19. Source: Reuters, October 7, 2021.

Friday, September 10, 2021:

  • SEC Investigation: Dozens of corporate executives are fearful that information from an SEC probe into the SolarWinds hack could expose them to liability. Source: Reuters, September 10, 2021.

Tuesday, August 3, 2021:

  • Lawsuit: SolarWinds urged a Texas federal judge to dismiss a lawsuit alleging the software company misled shareholders about its cybersecurity measures ahead of the Orion security brach. A ruling on the motion is pending. Source: Reuters, August 3, 2021.

Friday, July 30, 2021:

  • Hackers Hit U.S. Attorneys Offices via Microsoft Office 365: As part of the attack, hackers gained access to employees’ Microsoft Office 365 email accounts in 27 U.S. Attorneys’ offices. Source: U.S. Department of Justice, July 30, 2021.

Monday, June 21, 2021:

  • SEC Investigation: The U.S. Securities and Exchange Commission (SEC) has opened a probe into the SolarWinds Orion cyber breach, focusing on whether some companies failed to disclose that they had been affected by the hack. Source: Reuters, June 21, 2021.

Wednesday, May 19, 2021:

  • Early Entry?: The SolarWinds hackers were in the software company’s system as early as January 2019, months earlier than previously known, CEO Sudhakar Ramakrishna revealed. Source: Associated Press, May 19, 2021.

Monday, March 29, 2021:

  • Russia Allegedly Hacked U.S. Homeland Security Leader: Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The accounts were allegedly accessed as part of the SolarWinds Orion hack. Source: Associated Press, March 29, 2021.


Wednesday, March 17, 2021:



Tuesday, March 9, 2021:

  • Guidance Recap: The CISA issued specific guidance on remediating networks affected by the SolarWinds and Active Directory/Microsoft 365 compromise. See this web page and this guide for details. Source: CISA, March 9, 2021.

Thursday, March 4, 2021:

  • More Malware: Blogs from Microsoft and FireEye describe more malware that may be tied to the SolarWinds Orion hack. Sources: Microsoft, FireEye, March 4, 2021.

Friday, February 26, 2021:

  • More SolarWinds Breach Hearings: Cybersecurity executives are due to face their second round of Congressional questions today over their companies’ roles in the sprawling series of digital intrusions blamed on the Russian government. SolarWinds CEO Sudhakar Ramakrishna, Microsoft President Brad Smith, and FireEye CEO Kevin Mandia are due to address a joint hearing of the House Committees on Oversight and Reform and Homeland Security. Source: Reuters, February 26, 2021.

Thursday, February 25, 2021:

  • SolarWinds Earnings, N-able Spin Out: SolarWinds today announced its first quarterly results since disclosing the Orion security incident in December 2020. Also, the N-able (formerly SolarWinds MSP) spin-out is on track for Q2, 2021. Sources: ChannelE2E and MSSP Alert.

Continue to page two for earlier timeline dates.

Return Home

4 Comments

Comments

    Jim Lippie:

    Wow Joe! Thank you for such a detailed a comprehensive write up on the Solarwinds hack. This is obviously a lot of work and truly appreciated.

    Joe Panettieri:

    Hey Jim: Thanks for your note. Our goal was to provide one landing spot for partners to find official information from SolarWinds and credible third-parties. We’ll continue to make updates whenever relevant info surfaces.

    Best,
    -jp

    Dr. Yair Levy:

    Hi Joe,
    Any idea if the starting point for the “September 12, 2019 through November 4, 2019: The threat actor injected test code and performed a trial run. Source: SolarWinds Blog, January 11, 2021.” event was from social engineering or via system vulnerability?

    Joe Panettieri:

    Dr. Levy: Thank you for your note. I don’t know if the injection involved social engineering or system vulnerability. But I’ll ask that question next time I touch base with SolarWinds, and also listen for clues during next $SWI earnings call.

    In the meantime, in early January 2021 there was some speculation that perhaps a third-party DevOps software tool was somehow harnessed in the alleged Russia-led attack(s). But the third-party software provider denied that it had been breached.

    Best,
    -jp

Leave a Reply

Your email address will not be published. Required fields are marked *