Decipher File · March 2020 to December 2020 (disclosure)
SolarWinds Sunburst: How Supply Chain Compromise Bypassed Every Endpoint Defense
The SolarWinds Sunburst incident is the cybersecurity supply chain compromise that defined the modern threat landscape. Beginning in March 2020 and disclosed in December 2020, threat actors implanted the SUNBURST backdoor into signed Orion Platform updates, reaching roughly 18,000 customer organizations including FireEye, Microsoft, and multiple US federal agencies.
Incident summary
SolarWinds Orion is a network management platform installed inside the perimeter of large IT and federal environments. According to CISA Advisory AA20-352A, threat actors gained access to the Orion build pipeline and inserted a malicious DLL named SolarWinds.Orion.Core.BusinessLayer.dll into signed software updates released between March and June 2020. Customers who installed those updates received a fully signed, vendor-trusted backdoor known as SUNBURST.
Mandiant publicly disclosed the campaign on December 13, 2020 after detecting the compromise inside its own environment during routine telemetry review. Within 72 hours, the US Treasury, Department of Commerce, Department of Homeland Security, and parts of the State Department confirmed Orion-related intrusions. CISA issued Emergency Directive 21-01 ordering federal agencies to disconnect or power down Orion systems.
Approximately 18,000 organizations downloaded the trojanized update, per SolarWinds SEC 8-K filings. A smaller subset, estimated by Mandiant at fewer than 100 organizations, received hands-on follow-on activity from the threat actor.
Attack technique
MITRE ATT&CK maps the operation to T1195.002, Compromise Software Supply Chain. The attackers compromised the Orion build environment, modified source files during compilation, and let SolarWinds' own code-signing infrastructure cryptographically bless the result. Endpoint detection products that inspect signing certificates saw a valid SolarWinds signature and let the file run.
After installation, SUNBURST stayed dormant for up to two weeks before checking in. First-stage command and control used DNS tunneling to a domain generation algorithm pattern under avsvmcloud[.]com. Mandiant documented secondary domains including deftsecurity[.]com and thedoccloud[.]com used for hands-on operations on selected targets.
Once active, the actor moved laterally using stolen credentials, then forged SAML tokens against compromised Active Directory Federation Services environments to authenticate to Microsoft 365 as arbitrary users. Microsoft Threat Intelligence detailed this token-forgery technique in its December 2020 customer guidance. The technique bypassed multifactor authentication because the SAML assertion presented a fully valid signature.
Impact and consequences
SolarWinds disclosed in 14A SEC filings that the company spent over $40 million on remediation in 2021 alone. Independent analysts including IronNet's Christopher Krebs cited cumulative remediation costs across affected federal agencies and Fortune 500 customers at over $90 billion when factoring incident response, forensic review, and credential rotation.
The incident catalyzed Executive Order 14028 on Improving the Nation's Cybersecurity, signed May 12, 2021. EO 14028 mandated software bill of materials (SBOM) requirements for federal software vendors, established the Cyber Safety Review Board, and required zero trust architecture adoption across federal agencies by 2024.
On the legal front, the SEC charged SolarWinds and its CISO with fraud in October 2023, alleging that public statements about the company's security posture were materially misleading. The case is ongoing, but it set the precedent that a CISO can face personal SEC liability for security disclosures.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › SolarWinds.Orion.Core.BusinessLayer.dll (trojanized component, multiple hashes published in CISA AA20-352A)
- › avsvmcloud[.]com (primary C2 domain with DGA-style subdomains)
- › deftsecurity[.]com
- › freescanonline[.]com
- › thedoccloud[.]com
- › Anomalous SAML token signing certificate use within Microsoft 365 tenants
- › Beaconing intervals of 30 minutes to 2 hours from Orion servers to external DNS
Lessons for defenders
Code signatures verify the publisher, not the safety of the code. SolarWinds signed every version of SUNBURST. Defenders need behavior-based EDR that flags anomalous network beaconing and lateral movement regardless of signing status.
Monitor outbound DNS from infrastructure tools. Orion is a network management product. Outbound traffic from an Orion server to an unfamiliar external domain at regular beacon intervals is the smoking gun. Most environments lacked DNS query telemetry from the Orion subnet.
Treat your build pipeline as a tier-zero asset. SolarWinds' build environment was the actual breach. SBOM requirements, isolated build infrastructure, and code-signing key separation from build systems mitigate this class of attack. NIST published SSDF (Secure Software Development Framework) SP 800-218 in February 2022 partly in response to this incident.
MFA matters less than identity provider integrity. The actor forged SAML tokens at the AD FS layer, bypassing MFA entirely. Hardening identity providers, monitoring for unusual token signing certificate use, and rotating signing keys quarterly are the controls that mattered here.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Frequently asked questions
How did SolarWinds Sunburst bypass endpoint detection and response tools?
SUNBURST was distributed inside cryptographically signed SolarWinds Orion updates. EDR products that trust signed binaries from known publishers passed the file through. The malware also stayed dormant up to two weeks before initiating DNS-based command and control, beating most signature and behavior heuristics tuned for shorter dwell times.
Which cybersecurity career roles are best positioned to defend against supply chain attacks like SolarWinds?
Threat Intelligence Analysts track adversary tradecraft and supply chain campaigns. Security Architects design build-pipeline isolation and SBOM requirements. Incident Responders run the forensic timeline reconstruction. Practitioners working in any of these three roles use SolarWinds as a baseline reference incident in interviews and tabletop exercises.
What regulations did the SolarWinds breach influence?
Executive Order 14028 in May 2021 mandated SBOM requirements, established the Cyber Safety Review Board, and set zero trust architecture deadlines for federal agencies. NIST SP 800-218 (SSDF) followed in February 2022. The SEC's October 2023 charges against SolarWinds and its CISO set a precedent for personal liability around security disclosures.
Sources
- CISA Advisory AA20-352A: Advanced Persistent Threat Compromise of Government Agencies · Primary federal advisory with IOCs and detection guidance
- Mandiant (FireEye) Highly Evasive Attacker Leverages SolarWinds Supply Chain · Initial December 13, 2020 technical disclosure
- Microsoft Threat Intelligence Customer Guidance on Recent Nation-State Cyberattacks · Microsoft's December 2020 customer guidance
- US Treasury Department Statement on SolarWinds Compromise · Treasury and Commerce confirmation of compromise
- MITRE ATT&CK T1195.002 Compromise Software Supply Chain
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
Get Cybersecurity Career Intelligence
Weekly insights on threats, job trends, and career growth.
Unsubscribe anytime. More options