Attackers accessed SolarWinds' build environment as early as September 2019. SUNSPOT malware injected the SUNBURST backdoor into Orion builds without triggering build failures. Compromised updates were signed with SolarWinds' legitimate code-signing certificates.
Undetected for over a year until FireEye discovered it investigating their own breach. Led to Executive Order 14028 on improving national cybersecurity, mandating SBOM requirements and zero-trust architecture for federal systems. Accelerated the SLSA framework for supply chain integrity.
The Incident
Beginning in September 2019, Russian intelligence operatives (identified as Nobelium/Cozy Bear by Microsoft and APT29 by others) accessed the build environment of SolarWinds, a Texas-based company whose Orion network monitoring platform was used by over 30,000 organizations worldwide — including the US Treasury, Department of Homeland Security, Department of Commerce, and hundreds of Fortune 500 companies.
The attackers inserted a tool called SUNSPOT into the build pipeline. SUNSPOT monitored the build process and, when it detected an Orion build in progress, injected the SUNBURST backdoor into the source code — then restored the original source after the build completed. The compromised binary was signed with SolarWinds' legitimate code-signing certificate and distributed as a routine software update.
Approximately 18,000 customers installed the compromised update. The attackers then selectively activated the backdoor on high-value targets for deeper access.
The Discovery
The attack went undetected for over a year. It was discovered in December 2020 by cybersecurity firm FireEye, which was itself a SolarWinds customer. FireEye detected the intrusion while investigating a separate breach of their own systems — their Red Team toolkit had been stolen. The investigation into that theft led to the discovery of the broader SolarWinds compromise.
FireEye's decision to publicly disclose their own breach — rather than investigate quietly — is what enabled the discovery of one of the most significant cyber-espionage campaigns in history.
Why It Matters
SolarWinds proved that the software supply chain is the attack surface. The updates were signed. The vendor was trusted. The software was legitimate — except for the part that wasn't. Every organization that installed the update had no way to know it was compromised using any standard verification method. The attack exploited not a flaw in the software, but a flaw in the trust model of software distribution itself.