Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2020breachGovernment

SolarWinds — The Supply Chain Phantom

Russian intelligence compromised SolarWinds' Orion build pipeline, inserting a backdoor into updates distributed to 18,000+ customers including US Treasury, Commerce, DHS, and multiple Fortune 500 companies.

2 min read
Root Cause

Attackers accessed SolarWinds' build environment as early as September 2019. SUNSPOT malware injected the SUNBURST backdoor into Orion builds without triggering build failures. Compromised updates were signed with SolarWinds' legitimate code-signing certificates.

Aftermath

Undetected for over a year until FireEye discovered it investigating their own breach. Led to Executive Order 14028 on improving national cybersecurity, mandating SBOM requirements and zero-trust architecture for federal systems. Accelerated the SLSA framework for supply chain integrity.

The Incident

Beginning in September 2019, Russian intelligence operatives (identified as Nobelium/Cozy Bear by Microsoft and APT29 by others) accessed the build environment of SolarWinds, a Texas-based company whose Orion network monitoring platform was used by over 30,000 organizations worldwide — including the US Treasury, Department of Homeland Security, Department of Commerce, and hundreds of Fortune 500 companies.

The attackers inserted a tool called SUNSPOT into the build pipeline. SUNSPOT monitored the build process and, when it detected an Orion build in progress, injected the SUNBURST backdoor into the source code — then restored the original source after the build completed. The compromised binary was signed with SolarWinds' legitimate code-signing certificate and distributed as a routine software update.

Approximately 18,000 customers installed the compromised update. The attackers then selectively activated the backdoor on high-value targets for deeper access.

The Discovery

The attack went undetected for over a year. It was discovered in December 2020 by cybersecurity firm FireEye, which was itself a SolarWinds customer. FireEye detected the intrusion while investigating a separate breach of their own systems — their Red Team toolkit had been stolen. The investigation into that theft led to the discovery of the broader SolarWinds compromise.

FireEye's decision to publicly disclose their own breach — rather than investigate quietly — is what enabled the discovery of one of the most significant cyber-espionage campaigns in history.

Why It Matters

SolarWinds proved that the software supply chain is the attack surface. The updates were signed. The vendor was trusted. The software was legitimate — except for the part that wasn't. Every organization that installed the update had no way to know it was compromised using any standard verification method. The attack exploited not a flaw in the software, but a flaw in the trust model of software distribution itself.

Techniques
supply chain compromisebuild pipeline injection