Solar Winds: The Story of Espionage & Exfiltration

Last year was a difficult one—the Covid-19 global pandemic, economic recession, social strife, and the ever-present threats of war and climate change-accelerated natural disaster. Yet 2020 was also a milestone year for cybersecurity attacks globally. The FBI reported a dramatic 400% increase1 in cyber-attacks after the onset of the pandemic, as expected with the massive online shift of work, school, and commerce. One of the largest cybersecurity breaches in history occurred during this period: SolarWinds. The US cybersecurity community learns more every day about the depth of this attack.

Impacting 18,000 of SolarWinds’s 300,000 customers, the breach is a sprawling international cyber espionage operation that will serve as a case study for security and intelligence specialists for years to come. Enabled by the malware, now known as Sunburst, the hack epitomizes the kind of Exfiltration and Espionage (E2) attacks that will only become more common and more sophisticated as cyber becomes the preferred modus operandi of 21st Century geopolitical proxy wars.

For the uninitiated, SolarWinds (SWI) is a publicly traded, Austin-based IT infrastructure management firm that is deeply embedded in the IT management supply chain of many Fortune 500 companies and several critical government agencies. SolarWinds is known for its Orion Platform, a suite of network management, IT operations, and security products. Several of these products effectively became carriers that propagated malicious code throughout the company’s network of clients, including DHS-CISA, DoD Cyber Command, DISA, NNSA, and the US Treasury Department. This attack itself has come to be known as Sunburst, Solarigate, and UNC2452.

Figure 1: Known affected agencies

About Ardent Insights

Ardent Insights is a monthly blog series, showcasing ‘actionable intelligence’ on technology- and data-related risks and opportunities facing governments and the constituents they serve, especially in the realms of public safety, disaster management, national security, law enforcement, public health, and smart/resilient infrastructure and systems.

Continue reading the Solarwinds series to discover how this attack happened and what can be learned.