2020: SolarWinds: The Supply Chain Attack That Compromised 18,000 Organizations
On December 13, 2020, the cybersecurity firm FireEye (now Mandiant) disclosed that it had been the victim of a sophisticated cyberattack. The attackers had stolen FireEye’s proprietary hacking tools — the same kind of offensive security tools the company used to test clients’ defenses. But the truly alarming discovery wasn’t the theft itself. It was how the attackers got in.
They had compromised SolarWinds, a Texas-based company whose Orion network management software was used by approximately 33,000 organizations worldwide, including most Fortune 500 companies and multiple U.S. government agencies. The attackers had inserted malicious code into a routine Orion software update, and approximately 18,000 organizations had dutifully installed it.
The Trojan Update
The attack was a masterwork of patience and precision. The attackers — later attributed to Russia’s SVR intelligence service, operating as the group known as APT29 or Cozy Bear — had gained access to SolarWinds’ software build system sometime in early 2020 (some evidence suggests as early as October 2019).
They inserted a small piece of malicious code — dubbed SUNBURST — into the source code of Orion’s software update. The code was designed to blend in seamlessly with legitimate software. It used the same coding conventions as the real Orion code. It communicated with command-and-control servers using domain names designed to look like normal SolarWinds traffic. It waited 12-14 days after installation before activating, avoiding detection during immediate post-update monitoring.
When SolarWinds published its routine update (versions 2019.4 through 2020.2.1), signed with SolarWinds’ legitimate code-signing certificate, 18,000 organizations downloaded and installed it. They had no reason not to — it came through the normal update channel, bore the company’s digital signature, and appeared to be a standard maintenance release.
Each of those 18,000 organizations had now given the attackers a backdoor into their network.
The Email Harvest
Not all 18,000 compromised organizations were actively exploited. The attackers were selective, focusing their attention on high-value targets. They used the SUNBURST backdoor to conduct reconnaissance, identify valuable targets, and then deploy additional tools for deeper access.
Email systems were among the primary targets. At the U.S. Treasury Department, attackers accessed email accounts of senior officials. At the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA), email systems were compromised. The Department of Homeland Security, the State Department, and parts of the Pentagon were all affected.
The email access was devastating from an intelligence perspective. By reading the emails of senior government officials, the attackers gained insight into policy discussions, diplomatic communications, internal debates, and personnel matters — exactly the kind of intelligence that a foreign intelligence service would value most.
Microsoft revealed in December 2020 that the attackers had accessed its systems and viewed source code. In a subsequent disclosure in January 2021, Microsoft said the attackers had accessed email accounts of members of its senior leadership team. For a company that operates one of the world’s largest email platforms (Outlook/Exchange), this was particularly alarming.
The Scope
The full scope of the SolarWinds compromise was staggering:
Government agencies confirmed affected: U.S. Treasury, Commerce (NTIA), Homeland Security, State Department, parts of the Pentagon, National Institutes of Health, Department of Energy (including the National Nuclear Security Administration).
Private companies confirmed affected: FireEye (Mandiant), Microsoft, Intel, Cisco, Deloitte, and numerous others. Many affected companies never publicly disclosed their compromise.
Timeline: The attackers had access from approximately March 2020 to December 2020 — roughly nine months of undetected access to some of the most sensitive networks in the world.
Data accessed: Primarily email communications and internal documents. The full extent of data exfiltration may never be known, as sophisticated attackers are skilled at covering their tracks.
The Email System Vulnerability
The SolarWinds attack highlighted a critical vulnerability in how organizations protect their email. Most email security focuses on inbound threats — phishing emails, malicious attachments, spoofed senders. The defenses are designed to keep attackers out of the email system.
SolarWinds demonstrated that attackers who are already inside the network — through a supply chain compromise, a zero-day exploit, or any other method — can access email systems from the inside. Once inside the network, the attackers moved laterally to email servers, used stolen credentials to access mailboxes, and read emails at will. No phishing email was needed. No spam filter could have helped. The threat bypassed email security entirely by attacking the infrastructure underneath it.
This has implications for email architecture. Organizations that store all email on-premises in a single Exchange server are vulnerable to network-level compromise. Cloud-based email (Microsoft 365, Google Workspace) offers some additional protection through cloud security controls, but the SolarWinds attack showed that even cloud systems can be compromised through stolen credentials and forged authentication tokens — a technique the attackers used extensively.
The Response
The U.S. government’s response was significant. In April 2021, the Biden administration formally attributed the attack to Russia’s SVR and announced sanctions against Russian entities and the expulsion of Russian diplomats. An executive order on cybersecurity issued in May 2021 mandated improved security practices for federal agencies and government software suppliers.
The cybersecurity industry responded with heightened focus on supply chain security — the practice of verifying the integrity of software and hardware throughout the entire development and distribution chain. Before SolarWinds, supply chain attacks were a known theoretical risk. After SolarWinds, they were a proven, demonstrated, catastrophic reality.
The Lesson
The SolarWinds attack demonstrated that email security cannot be considered in isolation. Email exists within a network, and the security of email is only as strong as the security of the network that surrounds it. The most sophisticated email encryption and the most aggressive spam filters are irrelevant if an attacker has direct access to the mail server from inside the network.
For organizations, the lesson is that email security is part of a broader security posture that includes network segmentation, privileged access management, software supply chain verification, and continuous monitoring. The attackers who read the Treasury Department’s emails didn’t need to send a single phishing message. They walked in through a door that every security team thought was locked.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What was the SolarWinds attack?
The SolarWinds attack was a supply chain compromise discovered in December 2020. Attackers inserted malicious code into updates to SolarWinds' Orion network management software. Approximately 18,000 organizations installed the compromised update, giving attackers access to their networks.
Who was behind the SolarWinds attack?
The U.S. government attributed the SolarWinds attack to SVR (Russia's foreign intelligence service), specifically a group known as APT29 or Cozy Bear. Russia denied involvement. The operation is considered one of the most sophisticated state-sponsored cyber operations ever detected.
How were email systems affected by SolarWinds?
Attackers used their access to read email communications at compromised organizations, including U.S. Treasury, Commerce, and other government agencies. At Microsoft, attackers accessed email accounts of senior leadership. Email was both a target for intelligence gathering and a tool for lateral movement.