SolarWinds Orion Security Breach: Cyberattack Timeline and Hacking Incident Details
The SolarWinds Orion security breach, a.k.a. SUNBURST, impacted numerous U.S. government agencies, business customers and consulting firms. Here’s a timeline of the SolarWinds SUNBURST hack, featuring ongoing updates from a range of security and media sources.
Among the important items to note:
- SolarWinds offers a SUNBURST / Orion Security Advisory here;
- A related SolarWinds SUNBURST FAQ about the incident is here;
- The company says SolarWinds MSP tools (spun off as the N-able software business in July 2021) were not involved in the incident; and
The SolarWinds Orion breach surfaced during a time of transition at the company. Indeed a planned CEO transition from Kevin Thompson to Sudhakar Ramakrishna occurred on January 4, 2021. Also, the company spun off its SolarWinds MSP (now N-able) business as a standalone, publicly traded company, in July 2021.
Note: Originally published December 17, 2020. Updated regularly thereafter.
SolarWinds Orion Hack: SUNBURST Security Incident Timeline
The timeline below connects the dots between the original SolarWinds Orion hack; how FireEye discovered the hacker activity; SolarWinds’ response since learning of the attack; and the U.S. federal government’s statements about the attack. Read from the bottom up for chronological updates.
Thursday, September 7, 2021:
- Spying Allegations: The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19. Source: Reuters, October 7, 2021.
Friday, September 10, 2021:
- SEC Investigation: Dozens of corporate executives are fearful that information from an SEC probe into the SolarWinds hack could expose them to liability. Source: Reuters, September 10, 2021.
Tuesday, August 3, 2021:
- Lawsuit: SolarWinds urged a Texas federal judge to dismiss a lawsuit alleging the software company misled shareholders about its cybersecurity measures ahead of the Orion security brach. A ruling on the motion is pending. Source: Reuters, August 3, 2021.
Friday, July 30, 2021:
- Hackers Hit U.S. Attorneys Offices via Microsoft Office 365: As part of the attack, hackers gained access to employees’ Microsoft Office 365 email accounts in 27 U.S. Attorneys’ offices. Source: U.S. Department of Justice, July 30, 2021.
Monday, June 21, 2021:
- SEC Investigation: The U.S. Securities and Exchange Commission (SEC) has opened a probe into the SolarWinds Orion cyber breach, focusing on whether some companies failed to disclose that they had been affected by the hack. Source: Reuters, June 21, 2021.
Wednesday, May 19, 2021:
- Early Entry?: The SolarWinds hackers were in the software company’s system as early as January 2019, months earlier than previously known, CEO Sudhakar Ramakrishna revealed. Source: Associated Press, May 19, 2021.
Monday, March 29, 2021:
Russia Allegedly Hacked U.S. Homeland Security Leader: Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The accounts were allegedly accessed as part of the SolarWinds Orion hack. Source: Associated Press, March 29, 2021.
Wednesday, March 17, 2021:
- Updated CISA Guidance: The CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. Source: CISA, March 17, 2021.
Tuesday, March 9, 2021:
- Guidance Recap: The CISA issued specific guidance on remediating networks affected by the SolarWinds and Active Directory/Microsoft 365 compromise. See this web page and this guide for details. Source: CISA, March 9, 2021.
Thursday, March 4, 2021:
- More Malware: Blogs from Microsoft and FireEye describe more malware that may be tied to the SolarWinds Orion hack. Sources: Microsoft, FireEye, March 4, 2021.
Friday, February 26, 2021:
- More SolarWinds Breach Hearings: Cybersecurity executives are due to face their second round of Congressional questions today over their companies’ roles in the sprawling series of digital intrusions blamed on the Russian government. SolarWinds CEO Sudhakar Ramakrishna, Microsoft President Brad Smith, and FireEye CEO Kevin Mandia are due to address a joint hearing of the House Committees on Oversight and Reform and Homeland Security. Source: Reuters, February 26, 2021.
Thursday, February 25, 2021:
- SolarWinds Earnings, N-able Spin Out: SolarWinds today announced its first quarterly results since disclosing the Orion security incident in December 2020. Also, the N-able (formerly SolarWinds MSP) spin-out is on track for Q2, 2021. Sources: ChannelE2E and MSSP Alert.
Continue to page two for earlier timeline dates.