Supply chain
β Supply Chain
FireEye / CISA / US GAO / Rapid7
Primary Source βIncident Details
Russian SVR (APT29/Cozy Bear) compromised SolarWinds build environment and injected SUNBURST backdoor into Orion software updates distributed March-June 2020. ~18,000 customers received poisoned update; ~100 organizations actively targeted including US Treasury, State Dept, DHS, FireEye. Initial network compromise began Sept 2019. Discovered Dec 13 2020 when FireEye investigated theft of its own red team tools. MITRE ATT&CK Campaign C0024. US and UK governments attributed to Russian SVR in April 2021.
Technical Details
- Initial Attack Vector
- CWE-506: Embedded Malicious Code inserted into SolarWinds Orion build pipeline
- Vendor / Product
- SolarWinds Orion Platform
- Software Package
SolarWinds Orion- Malware Family
- SUNBURST / TEARDROP / SUNSPOT
- CVE / GHSA References
- CVE-2020-10148
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2020-03-26 Breach occurred
- 2020-12-13 Publicly disclosed
- 2020-12-14 Customers notified