Security Experts:

Connect with us

Hi, what are you looking for?



SolarWinds Likely Hacked at Least One Year Before Breach Discovery

An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.

An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.

SolarWinds has confirmed that sophisticated cyberspies, which are believed to be sponsored by the Russian government, compromised the software build system for its Orion product and delivered trojanized updates to as many as 18,000 customers between March and June 2020.

However, an analysis of the threat actor’s infrastructure conducted by threat intelligence company DomainTools, which specializes in DNS and domain analysis, suggests that SolarWinds was breached at some point in 2019.

An investigation conducted by threat intelligence firm ReversingLabs showed that the first version of the Orion software modified by the hackers was actually from October 2019. This version, 2019.4.5200.8890, was only slightly modified and it did not contain the malicious backdoor code, but it indicates that this is when the attackers first started making tests for modifying the software. The actual breach of SolarWinds infrastructure likely took place before this date.

According to DomainTools, the attackers likely started infrastructure management and staging in December 2019 and in February 2020 they started operationalizing command and control (C&C) domains.

The threat group started delivering its backdoored updates in March, but the malware, tracked as SUNBURST, is designed to remain dormant for up to two weeks, which makes it more difficult to detect and which resulted in communications from victim devices only starting in April.

SolarWinds attack timeline

“The SolarWinds intrusion was a long-planned event, occurring in distinct stages: supply chain breach, software modification testing, infrastructure development, then final deployment,” explained Joe Slowik, senior security researcher at DomainTools.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Slowik also pointed out that while some media reports citing US government sources have attributed the SolarWinds attack to Russia-linked threat actor APT29 (aka Cozy Bear, YTTRIUM and The Dukes), it’s possible that it was actually a different group whose activities have been tied to Russian intelligence services. This is based on the fact that Microsoft, FireEye and Volexity, which in the past analyzed APT29, have either assigned new names to this activity or they haven’t mentioned the link to a known actor.

In the meantime, the names of more victims have come to light. Microsoft confirmed that it detected some of the malicious binaries on its own systems and said it identified 40 customers that appeared to be high-value targets (i.e. they received later-stage payloads).

Several U.S. government organizations, including the Energy Department, have also been named as victims, and an analysis of the domain generation algorithm used by the SUNBURST malware revealed the names of hundreds of potential victims.

One of the latest victims identified through this method was U.S. cable and internet services provider Cox Communications. Kaspersky reported on Friday that a major American telecommunications company had been hit, but it did not identify it. However, Reuters revealed that it was Cox.

Related: Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales

Related: FBI, CISA, ODNI Describe Response to SolarWinds Attack

Related: SolarWinds Removes Customer List From Site as It Releases Second Hotfix

Related: Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...