---
title: The Most Devastating Hack in History...
description: "It's December 13, 2020, and all hell is about to break loose. A private cybersecurity firm called FireEye is putting the pieces together on a mystery that seems to be growing by the day, as a hacking group that's been worming around in FireEye's own system has also started showing up in some very high-level places: The US Treasury, and the US Department of Commerce. As news broke of the large-scale hack, more and more major institutions began to realize that they, too, had been compromised: NATO, the UK government, Microsoft, the Parliament of the European Union, and eleven executive departments of the federal United States government.\n\nThe perpetrators? A network of Russian government and sub-governmental hackers, all far out of the reach of Western reprisals. Their way in? Well, that was through software known as Orion, produced by a company called SolarWinds. And the potential impact? Well, we'll just let US Senator Dick Durbin sum that up for you: \"virtually a declaration of war by Russia on the United States\".\n\nIn this article, we'll detail the SolarWinds hack in all its dubious glory: the exploits Russia used to sneak into the system, the lucky breaks that led the hack to be discovered, and the profound impact it had not only on the governments of the Western World, but on the future of cyber-warfare itself.\n\n## Setting the Table\n\nBefore anything else, we've got to explain what SolarWinds actually is, and we've got to really emphasize here that the SolarWinds company was not responsible for the hack, but instead, the creator of the software that was hacked. Based in Tulsa, Oklahoma, SolarWinds produces various software products that help other organizations monitor their digital networks, including the software system we mentioned earlier, Orion. To put it simply, Orion's job is to monitor what's going on inside a given network, and evaluate performance data—that is, data that indicates how well the network is doing all the jobs it's supposed to do.\n\nBut with that kind of responsibility, the Orion software needs access to sensitive parts of the network. Think of someone who works with intelligence—the higher security clearance you have, the more juicy state secrets you get to see, and in the little digital world that exists inside a company's network, Orion's security clearance is very high. That made Orion a very high-value target for a hacker; get into Orion, and you'd essentially be granted the keys to the castle. Anything else in that network that you wanted, Orion would put you on the path to getting it.\n\nBut not only is Orion very valuable, both for SolarWinds and for a hacker; it's also everywhere. Thousands of organizations use the software, and it's a particular favorite for local, state, and federal governments, as well as international organizations like NATO. That meant that if someone, somewhere, could compromise Orion, they would be getting their hands on the keys to a whole lot of castles, all at once.\n\nObviously, getting inside that sort of system would be a hacker's dream come true, but it's easier said than done, for a few key reasons. Firstly, that sort of hacking is very illegal, and is likely to receive the full force of the law in whatever country where the hack was perpetrated. Second, it's very difficult to pull off—SolarWinds is a major company with some elite individuals on its cyber-defense staff, and the clients who use Orion have a whole lot of experts on hand as well. And finally, it's a very complex system—a random teenager trying to take over the world from their mom's basement probably won't be able to break through alone.\n\nSo if anyone was going to hack Orion, there would have to be a few things that were true about them. First, they probably weren't based in the US, Europe, or anywhere with strong extradition policies. Second, they had to have more expertise than any one person, or even a small group of people might have. And finally, they needed to have a well-rounded, highly organized team, which meant funds and centralization. To put it simply, anybody who was going to pull off the attack, would need a team behind them that only a government was likely to put together.\n\nThe likely culprit? Russia, which has carried out cyberattacks on a wide range of targets, including both private corporations and governments. Russia runs its cyber-operations through some level of central coordination with the government, usually through the FSB, the domestic security service, and the SVR, the international intelligence agency. But private or semi-private hacking gangs actually do the dirty work, in order to give Russia some plausible deniability when one of their attacks takes place. In this case, they went with two old favorites of the Russian state: Berserk Bear, which specializes in intruding utilities infrastructure like power grids or water supply, and Cozy Bear, which targets government organizations, militaries, diplomats, and telecommunications. Between the two of them, Cozy Bear and Berserk Bear have been responsible for some major hacks, making them perfect choices for Russia here—in an attack that had the potential to be the biggest of all time.\n\n## The Hack\n\nNow, just a brief disclaimer here; we are going to be giving a fairly basic overview of the hack here, we are not cybersecurity experts, and neither are most of the people reading. For anybody who wants a more in-depth view of the tech side of this whole thing, we trust that our resident comment-section contributors can help you out, but be careful—there's some gremlins down there, too.\n\nThe ultimate goal of the incursion into SolarWinds was to get into Orion, but in order to get there, the hackers first had to wiggle their way inside SolarWinds. They did this by exploiting another, much better-known company: Microsoft, which, for anybody that doesn't know, has a history of having some products that aren't exactly airtight. Allegedly. The hackers were able to infiltrate Microsoft's Cloud services, and exploit a flaw where, once they got inside a Microsoft network, they could see all usernames and passwords for everybody using that network. Then, they bypassed Microsoft's multi-factor authentication tools, meaning that the actual owners of those usernames and passwords would have no way of knowing they were being used.\n\nThen, they had to cross the bridge from Microsoft to SolarWinds. This is a process known as a supply-chain hack, where, to put it simply, hackers compromise a service or product and wait for that product to be picked up by a customer down the line. The customer welcomes the product into their digital network, and don't notice the hackers piggybacking inside of it. The hackers were able to worm their way into SolarWinds' Microsoft Office 365 account somewhere around October of 2019, which, in turn, gave them access to some pretty major sections of the SolarWinds network. Once they were inside, the hackers got to work—not making too much noise, but laying low and making little changes inside the network that they could exploit later. For months, they scattered through SolarWinds' network, laying the groundwork to take what they ultimately wanted: Orion.\n\nThe tool the hackers used on Orion was called SUNBURST, and it was a type of harmful computer code, malware, which would join up seamlessly to the code that comprises the Orion software. Once inside, it would be very difficult to find, and almost impossible to stumble upon by accident. The hackers inserted this malware into the update packages SolarWinds was already planning to send out, the regular updates you get on your computer to make sure that all your software is up-to-date. And just an aside here, yes, this particular hack compromised those updates, but please install updates when you get them, you're so much more hackable if you don't.\n\nWhen SolarWinds sent out their next round of updates, the SUNBURST malware was already attached, and once it was downloaded to one of SolarWinds' clients, the damage was done. See, the function of SUNBURST was to provide what's called a backdoor, a way for unauthorized, third-party individuals to enter and exit a network at will. With the backdoor installed, the hackers could waltz right into any company or institution that had downloaded the faulty update. SUNBURST was attached to a part of the Orion software that's issued a digital certificate—basically, a signature from SolarWinds saying, this is good, this is trustworthy, there's nothing to worry about. This meant that even if a company picked up on the malicious line of code, somehow, it would still have the SolarWinds sign-off indicating that all was well.\n\nAnd once they used their back-door, the hackers were in. They could see emails, confidential documents, client records, personal information, and a long list of other sensitive information. They could transfer files, introduce new files or malware to a system, and disable portions of any system that they were inside. SUNBURST was designed to wait fourteen days before it woke up, so to speak, so even if a hacker was discovered on their first day in the system, the company wouldn't have been able to guess that the Orion update was the source of the problem. When taken together, the whole process of insertion was frankly brilliant. Forensic cyber-investigator Adam Meyers would put it best, after the fact: \"The tradecraft was phenomenal [...] this was the craziest fucking thing I'd ever seen.\"\n\n## The Discovery\n\nSo, the hack was underway, and any organization that downloaded their regularly scheduled SolarWinds update, would be compromised as soon as they did so. Now, it's perhaps not the most encouraging thing that of the 33,000 organizations that SolarWinds says use Orion software, only 18,000 actually downloaded their compromised update—that is to say, only a little over half of the Orion clients in total. But although those other fifteen thousand organizations' digital hygiene might not be totally up to snuff, it was the diligent, responsible users who got rewarded with some spicy bits of malware for their troubles.\n\nSo, who were the compromised organizations? We've gone through a few of them already, but it's worth focusing in on a few places you really don't want to be infiltrated by Russian hackers. On the government side, some very high-profile US targets got hit, including the National Nuclear Security Administration, the NSA, the National Finance Center, the National Institutes of Health, the Federal Aviation Administration, the Cybersecurity and Infrastructure Agency, and three thousand email accounts within the Department of Justice. In the European Union, six unnamed agencies were hacked; a small handful of UK organizations were targeted, and so was NATO's communication network. On the private-sector side, Equifax, Cisco, Microsoft, Nvidia, several cybersecurity organizations, and, of course, SolarWinds themselves all were infiltrated.\n\nThe good news in all this is that with so many organizations to hack, the hackers had to pick and choose which ones they actually accessed. We don't know how many people were involved in this operation, but we know it probably wasn't enough people to sustain multi-person hacking teams for each of their 18,000 victims at once, and it appears that only a handful of clients were actually hacked. The bad news is…well, we've only been naming the ones that were actually hacked, and if you're not sure quite how catastrophic that list of data breaches is, then you really should go back and give that list another read-through.\n\nThe hack went undetected for the better part of a year after SolarWinds started distributing its compromised updates, and while none of the organizations involved really explained what they'd individually had stolen or what other subsequent attacks were launched from inside, it's not hard to imagine just how much damage was probably done during this time. At this stage, it's likely that each organization probably knows most of what happened to it, even if we don't. But for months and months, suspected state-sponsored Russian hackers operated with impunity within these compromised systems, while cybersecurity experts from across the world were none the wiser.\n\nThe first inkling that something might be wrong, came from that cybersecurity firm we mentioned at the beginning: FireEye, which has since been bought up by another firm. FireEye announced on December 8, 2020, that they'd noticed something odd in their own systems. FireEye operated what's referred to as Red Teams—that is to say, hackers who infiltrate companies, but then report to those companies what they did and how they did it, so those companies can fix their issues before someone else exploits them. Basically, they're the good guys. But the tools FireEye's Red Teams used had been stolen, and FireEye, knowing pretty well what they were looking at, believed that the hackers who'd gotten their tools were state-sponsored.\n\nNow, this kind of a breach at FireEye would have been bad enough. Their tools, in the wrong hands, could be used to attack computer systems around the world, and knowing the potential impact, they immediately hit up the FBI to come down and help out. The FBI, also knowing what they were looking at, passed the information straight over to their team that handles Russia-based cybercrime. But while the FBI was working on their side of things, FireEye kept working too, and they managed to trace back the route these hackers had used to infiltrate their system. By manually examining some fifty thousand lines of source code within Orion, they were able to isolate the malware that was responsible, and they understood immediately just how catastrophic the implications were.\n\nThis revelation put the whole world on notice, and within a few days, the US Treasury and Department of Commerce confirmed that they, too, had been breached. They brought in FireEye to see whether they could confirm a common exploit, and FireEye did just that. Eventually, the cybersecurity community was able to isolate the exact update versions of Orion that had been compromised, and several other companies were able to uncover far more about how and when the hack was carried out. With that information, companies and governments were able to close the backdoors into their system, and turn their attention to figuring out just how much damage had been done.\n\n## The Impact\n\nThere's a whole, long list of reasons why an individual organization wouldn't want to publicize what, exactly, they had compromised in the hack, so it'll suffice to say that a lot of the specific damage of the hack has still not been announced to the public. But the sheer scale and scope of the infiltration has gotten quite a bit of press, for good reason.\n\nBecause the Orion hack itself was just a way into a given system, every impacted organization had to hunt down information on exactly what had happened once hackers were inside. Data could be deleted, stolen, modified, exported, or fed to some other branch of Russian intelligence, while individual users could be impersonated or targeted directly. New malware could have been introduced, and the hackers themselves could have created other ways in and out, so that if the Orion backdoor was ever compromised, they could still access their systems at will. There was no telling who, or what, might be lurking in an individual network, and it's entirely likely that some of the impacted organizations probably still haven't found the hackers inside, even in 2023.\n\nIn response to the infiltration, many cybersecurity experts suggested that some organizations would have to rebuild their networks from scratch—quite literally wiping out everything that existed prior to the hack being exposed. Every login credential that might have been touched via SolarWinds would have to be reset, and IT teams would have to scan their network's files line-by-line to try and scrub out any other compromised bits. And they'd also have to be very careful about not losing anything more; after all, if a hacker was still inside, they could continue to steal or erase data at will.\n\nAs the impacted organizations started picking up the pieces, the world began to point fingers. The Russian government, unsurprisingly, categorically denied any involvement with the hack, but global government officials nearly unanimously agreed that Russia was responsible. The tactics were just too similar to what Russia had done in the past, the style was too reminiscent of how Russian hackers operated. Then-President Donald Trump, always super-helpful in a crisis, went quiet for six days after the hack was revealed, and then downplayed it and blamed China, but several high-ranking members of his own administration directly contradicted that claim. The rest of the world was in lock-step about who ultimately perpetrated the attack, and a total of ten Russian diplomats were eventually expelled from the US in retaliation, while sanctions were levied against another 38 companies and individuals.\n\nBut there was also the question of SolarWinds, whose hands were absolutely not clean in this whole thing. Now, SolarWinds controlled the highly valuable Orion tool, but there were also some other things about SolarWinds that made them particularly hackable. For example, in the modern day when this attack took place, SolarWinds did not have anyone on staff to be in charge of information security, and had no senior director to handle cybersecurity. That would be bad for any organization, of course, but when then-CEO Kevin Thompson is spending his time bragging about how his company monitors or manages just about every database in the world, it's frankly hard to imagine how such an oversight might have happened.\n\nBut to make matters worse, SolarWinds knew there were issues beforehand; online criminals have been selling access to SolarWinds' computers online since at least 2017, and according to a cybersecurity expert named Vinoth Kumar, SolarWinds had become aware an entire year before the hack that anyone, anywhere, could get into their update server with the simple password, \"solarwinds123\". Although these weren't the routes hackers used in this case, it's a clear indicator that SolarWinds had some really, really basic vulnerabilities, and were doing very little to address them. After the attack, SolarWinds got hit with a class-action lawsuit from its investors, and the company was lambasted for not making their software open-source, which would have allowed users to audit their technology and spot malware far earlier. Another scandal erupted when it was revealed that on December 7, 2020, just days before the hack came to light, not only did the SolarWinds CEO retire, but two firms that owned a combined 70% of SolarWinds sold massive amounts of their stock in the company, suggesting—allegedly—that someone—allegedly—might have known—allegedly—that something was coming. Allegedly.\n\nHowever, it's important to also recognize the contributions of a wide range of cybersecurity experts, especially those working for FireEye, in making sure the incident didn't go further. From the perspective of the hackers, such brazen theft from FireEye was, in hindsight, a big mistake, since the deception probably could have gone on much longer if FireEye hadn't gotten involved. From a strategic perspective, it's worth pointing out that perhaps Russia did want the world to realize it had been hacked—more of a scare tactic than anything else—and might have hacked FireEye in order to get the ball rolling. But given the reach of the Orion hack, it's hard to see a big scare being worth the trade-off of losing basically unrestricted access to the entire world, so…take it with a grain of salt.\n\nAnd even though we've focused so far on the organizations that were hacked, it's worth pointing out the ones that used SolarWinds software, but were lucky enough not to get directly caught up in this attack. According to SolarWinds, 425 of the Fortune 500 firms used their software, as did the entire US military, the Office of the President of the United States, and the entire top tier of the American telecommunications infrastructure—and all this, just discussing the American targets. With full, unrestricted access to SolarWinds, the hackers could have conceivably worked on exploiting more tools and more features, getting into any or all of those targets. By stealing from FireEye a little bit too enthusiastically, they lost themselves that opportunity, but we can't overstate just how much of a dodged bullet that really is.\n\nIt's impossible to nail down an exact dollar figure on how damaging this hack ultimately was, but according to at least one cybersecurity expert, a former NSA hacker named Jake Williams, the damage might ultimately be worth hundreds of billions of dollars. And with that much damage, and a nation-state believed to be directly responsible for coordinating and carrying out the attack, it raised one last, existential question: Was the SolarWinds hack an act of war?\n\nThe hack led to a prolonged discussion on exactly that question, at least within American circles. Some political and industry leaders claimed that the hack constituted a direct attack on the United States government, as real as any attack with tanks or bombs might have been. Others, though, suggested that since no physical infrastructure was damaged—no dams were opened, by example, and no nuclear reactors were caused to overload—that the attack should be regarded as an act of espionage. Deeply distressing, absolutely, but something that countries are doing to each other all the time, and definitely not something worth going to war over. Intelligence experts pointed out that they, too, would have launched the same kinds of attacks against Russia if they could, and we can only assume that they didn't want Washington to be carpet-bombed for their trouble. And there was one final sticking point, too—even though just about the entire world believed Russia was behind the attack, there was no conclusive piece of proof, or at least, none that the public knows about.\n\nWe feel okay with spoiling the ending here—that is to say, that the Western world did not undertake a military retaliation toward Russia after the attack took place. As it turns out, even hundreds of billions of dollars in damage isn't quite worth starting World War III. Instead, the world has chosen to learn from this incident, thank their lucky stars it didn't get worse, and re-double their efforts, laying down defenses for the inevitable future attacks that will make SolarWinds look like childs play.\n\n## Key Takeaways\n\n- The SolarWinds hack, discovered in December 2020, compromised numerous high-profile organizations, including US government departments and major tech companies.\n- Russian government-backed hackers exploited SolarWinds' Orion software, using a supply-chain attack to infiltrate thousands of organizations.\n- The hackers used sophisticated malware called SUNBURST to create backdoors, allowing them to access sensitive information and control systems.\n- The discovery of the hack was facilitated by FireEye, a cybersecurity firm whose own tools were stolen by the hackers.\n- The SolarWinds hack raised significant concerns about cybersecurity and the potential for cyber warfare, leading to international sanctions and increased cyber defenses.\n\n## Frequently Asked Questions\n\n### What was the SolarWinds hack?\n\nThe SolarWinds hack was a cyberattack that infiltrated various high-level institutions, including the US Treasury, the US Department of Commerce, NATO, the UK government, Microsoft, and several federal departments of the United States government. The attack was carried out by Russian government and sub-governmental hackers who exploited software known as Orion, produced by SolarWinds.\n\n### How did the hackers gain access to the systems?\n\nThe hackers gained access by exploiting a flaw in Microsoft's Cloud services, which allowed them to see usernames and passwords. They then bypassed Microsoft's multi-factor authentication tools and infiltrated SolarWinds' Microsoft Office 365 account, giving them access to major sections of the SolarWinds network. They inserted malware called SUNBURST into the Orion software updates, creating a backdoor for unauthorized access.\n\n### What was the impact of the SolarWinds hack?\n\nThe impact was profound, with potential damage estimated in the hundreds of billions of dollars. The hack allowed unauthorized access to sensitive information, emails, confidential documents, and more. It led to a prolonged discussion on whether it constituted an act of war, but no military retaliation was undertaken.\n\n### Who were the perpetrators of the SolarWinds hack?\n\nThe perpetrators were Russian government and sub-governmental hackers, specifically the hacking groups Berserk Bear and Cozy Bear. These groups are known for targeting utilities infrastructure and government organizations, respectively.\n\n### How was the SolarWinds hack discovered?\n\nThe hack was discovered by the cybersecurity firm FireEye, which noticed unusual activity in their own systems. FireEye traced the route the hackers used and isolated the malware responsible, leading to the identification of the compromised Orion updates. This revelation prompted other affected organizations to take action.\n\n### What organizations were affected by the SolarWinds hack?\n\nAffected organizations included the US Treasury, the US Department of Commerce, NATO, the UK government, Microsoft, the Parliament of the European Union, and eleven executive departments of the federal United States government. Additionally, several private-sector companies like Equifax, Cisco, and Nvidia were also infiltrated.\n\n### What was the role of FireEye in the SolarWinds hack?\n\nFireEye played a crucial role in discovering the hack. They noticed that their own tools had been stolen and traced the route the hackers used. By examining the Orion software, they isolated the malware and alerted other organizations, leading to the identification and mitigation of the hack.\n\n### What was the response of the US government to the SolarWinds hack?\n\nThe US government expelled ten Russian diplomats and levied sanctions against 38 companies and individuals. There was a prolonged discussion on whether the hack constituted an act of war, but no military retaliation was undertaken. The focus was on learning from the incident and strengthening defenses against future attacks.\n\n### What was the role of SolarWinds in the hack?\n\nSolarWinds was the creator of the Orion software that was hacked. The company did not have a senior director in charge of information security and was aware of vulnerabilities in their systems, including weak passwords. They faced a class-action lawsuit and criticism for not making their software open-source.\n\n### What was the SUNBURST malware?\n\nSUNBURST was a type of malware inserted into the Orion software updates by the hackers. It created a backdoor for unauthorized access, allowing the hackers to see emails, confidential documents, and other sensitive information. The malware was designed to wait fourteen days before becoming active, making it difficult to detect.\n\n## Sources\n\n- [Original Into the Shadows video: The Most Devastating Hack in History...](https://www.youtube.com/watch?v=POj8g8XfAAA)\n- [https://www.trentonsystems.com/blog/solarwinds-hack-overview-prevention](https://www.trentonsystems.com/blog/solarwinds-hack-overview-prevention)\n- [https://therecord.media/solarwinds-hack-affected-six-eu-agencies](https://therecord.media/solarwinds-hack-affected-six-eu-agencies)\n- [https://www.newsweek.com/nato-assessing-damage-solarwinds-hack-canada-issues-alert-1554964](https://www.newsweek.com/nato-assessing-damage-solarwinds-hack-canada-issues-alert-1554964)\n- [https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html](https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html)\n- [https://www.newsweek.com/solarwinds-russia-hack-cyberattack-fireeye-software-malware-backdoor-cybersecurity-1554730](https://www.newsweek.com/solarwinds-russia-hack-cyberattack-fireeye-software-malware-backdoor-cybersecurity-1554730)\n- [https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/](https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/)\n- [https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive-idUSKBN2A22K8](https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive-idUSKBN2A22K8)\n- [https://www.securityweek.com/class-action-lawsuit-filed-against-solarwinds-over-hack/](https://www.securityweek.com/class-action-lawsuit-filed-against-solarwinds-over-hack/)\n- [https://www.fox10phoenix.com/news/us-retaliates-against-russian-hacking-by-expelling-diplomats-imposing-new-sanctions](https://www.fox10phoenix.com/news/us-retaliates-against-russian-hacking-by-expelling-diplomats-imposing-new-sanctions)\n- [https://www.marketwatch.com/story/solarwinds-falls-under-scrutiny-after-hack-stock-sales-01608166019](https://www.marketwatch.com/story/solarwinds-falls-under-scrutiny-after-hack-stock-sales-01608166019)\n- [https://www.theregister.com/2020/12/16/solarwinds_stock_sale/](https://www.theregister.com/2020/12/16/solarwinds_stock_sale/)\n- [https://www.timesofisrael.com/hackers-backed-by-foreign-government-reportedly-steal-info-from-us-treasury/](https://www.timesofisrael.com/hackers-backed-by-foreign-government-reportedly-steal-info-from-us-treasury/)\n- [https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor](https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor)\n- [https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html](https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html)\n- [https://www.nytimes.com/2020/12/16/us/politics/russia-hack-putin-trump-biden.html](https://www.nytimes.com/2020/12/16/us/politics/russia-hack-putin-trump-biden.html)\n- [https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8](https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8)\n- [https://threatpost.com/solarwinds-default-password-access-sales/162327/](https://threatpost.com/solarwinds-default-password-access-sales/162327/)\n- [https://itwire.com/business-it-news/security/solarwinds-ftp-credentials-were-leaking-on-github-in-november-2019.html](https://itwire.com/business-it-news/security/solarwinds-ftp-credentials-were-leaking-on-github-in-november-2019.html)\n- [https://www.theregister.com/2020/12/16/solarwinds_github_password/](https://www.theregister.com/2020/12/16/solarwinds_github_password/)\n- [https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know](https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know)\n- [https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack](https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack)\n- [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12](https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12)\n- [https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic](https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic)\n- [https://www.wired.com/story/solarwinds-hack-supply-chain-threats-improvements/](https://www.wired.com/story/solarwinds-hack-supply-chain-threats-improvements/)\n- [https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack](https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack)\n- [https://cybernews.com/security/solarwinds-hack-the-mystery-of-one-of-the-biggest-cyberattacks-ever/](https://cybernews.com/security/solarwinds-hack-the-mystery-of-one-of-the-biggest-cyberattacks-ever/)\n- [https://www.reuters.com/article/us-cyber-solarwinds-microsoft/solarwinds-hack-was-largest-and-most-sophisticated-attack-ever-microsoft-president-idUSKBN2AF03R](https://www.reuters.com/article/us-cyber-solarwinds-microsoft/solarwinds-hack-was-largest-and-most-sophisticated-attack-ever-microsoft-president-idUSKBN2AF03R)\n- [https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/](https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/)\n- [https://medium.com/cloud-security/solarwinds-hack-retrospective-322f03b4eb9b](https://medium.com/cloud-security/solarwinds-hack-retrospective-322f03b4eb9b)\n- [Hero image source](https://upload.wikimedia.org/wikipedia/commons/1/18/Manila_Central_Post_Office_after_fire_2023-06-11.jpg) by LMP 2001 / openverse, by-sa.\n\n## Related Coverage"
url: https://intotheshadows.pub/article/the-most-devastating-hack-in-history.md
canonical: https://intotheshadows.pub/article/the-most-devastating-hack-in-history
datePublished: 2026-06-28
dateModified: 2026-06-28
author:
  - name: Simon Whistler
    url: https://intotheshadows.pub/author/simon-whistler
publisher: Into the Shadows
image: "https://media.intotheshadows.pub/cdn-cgi/image/width=1600,height=900,fit=cover,quality=80,format=auto/articles/POj8g8XfAAA/hero.jpg"
type: Article
contentHash: e524eab464e9ba3a5ca982084ee696decb98f909cbbbfa5b8d5dfd1e8746c478
tokens: 8350
summaryUrl: https://intotheshadows.pub/article/the-most-devastating-hack-in-history.md.summary.md
---

<!-- aeo:section start="lede" -->
It's December 13, 2020, and all hell is about to break loose. A private cybersecurity firm called FireEye is putting the pieces together on a mystery that seems to be growing by the day, as a hacking group that's been worming around in FireEye's own system has also started showing up in some very high-level places: The US Treasury, and the US Department of Commerce. As news broke of the large-scale hack, more and more major institutions began to realize that they, too, had been compromised: NATO, the UK government, Microsoft, the Parliament of the European Union, and eleven executive departments of the federal United States government.

The perpetrators? A network of Russian government and sub-governmental hackers, all far out of the reach of Western reprisals. Their way in? Well, that was through software known as Orion, produced by a company called SolarWinds. And the potential impact? Well, we'll just let US Senator Dick Durbin sum that up for you: "virtually a declaration of war by Russia on the United States".

In this article, we'll detail the SolarWinds hack in all its dubious glory: the exploits Russia used to sneak into the system, the lucky breaks that led the hack to be discovered, and the profound impact it had not only on the governments of the Western World, but on the future of cyber-warfare itself.

<!-- aeo:section end="lede" -->
<!-- aeo:section start="setting-the-table" -->
## Setting the Table

Before anything else, we've got to explain what SolarWinds actually is, and we've got to really emphasize here that the SolarWinds company was not responsible for the hack, but instead, the creator of the software that was hacked. Based in Tulsa, Oklahoma, SolarWinds produces various software products that help other organizations monitor their digital networks, including the software system we mentioned earlier, Orion. To put it simply, Orion's job is to monitor what's going on inside a given network, and evaluate performance data—that is, data that indicates how well the network is doing all the jobs it's supposed to do.

But with that kind of responsibility, the Orion software needs access to sensitive parts of the network. Think of someone who works with intelligence—the higher security clearance you have, the more juicy state secrets you get to see, and in the little digital world that exists inside a company's network, Orion's security clearance is very high. That made Orion a very high-value target for a hacker; get into Orion, and you'd essentially be granted the keys to the castle. Anything else in that network that you wanted, Orion would put you on the path to getting it.

But not only is Orion very valuable, both for SolarWinds and for a hacker; it's also everywhere. Thousands of organizations use the software, and it's a particular favorite for local, state, and federal governments, as well as international organizations like NATO. That meant that if someone, somewhere, could compromise Orion, they would be getting their hands on the keys to a whole lot of castles, all at once.

Obviously, getting inside that sort of system would be a hacker's dream come true, but it's easier said than done, for a few key reasons. Firstly, that sort of hacking is very illegal, and is likely to receive the full force of the law in whatever country where the hack was perpetrated. Second, it's very difficult to pull off—SolarWinds is a major company with some elite individuals on its cyber-defense staff, and the clients who use Orion have a whole lot of experts on hand as well. And finally, it's a very complex system—a random teenager trying to take over the world from their mom's basement probably won't be able to break through alone.

So if anyone was going to hack Orion, there would have to be a few things that were true about them. First, they probably weren't based in the US, Europe, or anywhere with strong extradition policies. Second, they had to have more expertise than any one person, or even a small group of people might have. And finally, they needed to have a well-rounded, highly organized team, which meant funds and centralization. To put it simply, anybody who was going to pull off the attack, would need a team behind them that only a government was likely to put together.

The likely culprit? Russia, which has carried out cyberattacks on a wide range of targets, including both private corporations and governments. Russia runs its cyber-operations through some level of central coordination with the government, usually through the FSB, the domestic security service, and the SVR, the international intelligence agency. But private or semi-private hacking gangs actually do the dirty work, in order to give Russia some plausible deniability when one of their attacks takes place. In this case, they went with two old favorites of the Russian state: Berserk Bear, which specializes in intruding utilities infrastructure like power grids or water supply, and Cozy Bear, which targets government organizations, militaries, diplomats, and telecommunications. Between the two of them, Cozy Bear and Berserk Bear have been responsible for some major hacks, making them perfect choices for Russia here—in an attack that had the potential to be the biggest of all time.

<!-- aeo:section end="setting-the-table" -->
<!-- aeo:section start="the-hack" -->
## The Hack

Now, just a brief disclaimer here; we are going to be giving a fairly basic overview of the hack here, we are not cybersecurity experts, and neither are most of the people reading. For anybody who wants a more in-depth view of the tech side of this whole thing, we trust that our resident comment-section contributors can help you out, but be careful—there's some gremlins down there, too.

The ultimate goal of the incursion into SolarWinds was to get into Orion, but in order to get there, the hackers first had to wiggle their way inside SolarWinds. They did this by exploiting another, much better-known company: Microsoft, which, for anybody that doesn't know, has a history of having some products that aren't exactly airtight. Allegedly. The hackers were able to infiltrate Microsoft's Cloud services, and exploit a flaw where, once they got inside a Microsoft network, they could see all usernames and passwords for everybody using that network. Then, they bypassed Microsoft's multi-factor authentication tools, meaning that the actual owners of those usernames and passwords would have no way of knowing they were being used.

Then, they had to cross the bridge from Microsoft to SolarWinds. This is a process known as a supply-chain hack, where, to put it simply, hackers compromise a service or product and wait for that product to be picked up by a customer down the line. The customer welcomes the product into their digital network, and don't notice the hackers piggybacking inside of it. The hackers were able to worm their way into SolarWinds' Microsoft Office 365 account somewhere around October of 2019, which, in turn, gave them access to some pretty major sections of the SolarWinds network. Once they were inside, the hackers got to work—not making too much noise, but laying low and making little changes inside the network that they could exploit later. For months, they scattered through SolarWinds' network, laying the groundwork to take what they ultimately wanted: Orion.

The tool the hackers used on Orion was called SUNBURST, and it was a type of harmful computer code, malware, which would join up seamlessly to the code that comprises the Orion software. Once inside, it would be very difficult to find, and almost impossible to stumble upon by accident. The hackers inserted this malware into the update packages SolarWinds was already planning to send out, the regular updates you get on your computer to make sure that all your software is up-to-date. And just an aside here, yes, this particular hack compromised those updates, but please install updates when you get them, you're so much more hackable if you don't.

When SolarWinds sent out their next round of updates, the SUNBURST malware was already attached, and once it was downloaded to one of SolarWinds' clients, the damage was done. See, the function of SUNBURST was to provide what's called a backdoor, a way for unauthorized, third-party individuals to enter and exit a network at will. With the backdoor installed, the hackers could waltz right into any company or institution that had downloaded the faulty update. SUNBURST was attached to a part of the Orion software that's issued a digital certificate—basically, a signature from SolarWinds saying, this is good, this is trustworthy, there's nothing to worry about. This meant that even if a company picked up on the malicious line of code, somehow, it would still have the SolarWinds sign-off indicating that all was well.

And once they used their back-door, the hackers were in. They could see emails, confidential documents, client records, personal information, and a long list of other sensitive information. They could transfer files, introduce new files or malware to a system, and disable portions of any system that they were inside. SUNBURST was designed to wait fourteen days before it woke up, so to speak, so even if a hacker was discovered on their first day in the system, the company wouldn't have been able to guess that the Orion update was the source of the problem. When taken together, the whole process of insertion was frankly brilliant. Forensic cyber-investigator Adam Meyers would put it best, after the fact: "The tradecraft was phenomenal [...] this was the craziest fucking thing I'd ever seen."

<!-- aeo:section end="the-hack" -->
<!-- aeo:section start="the-discovery" -->
## The Discovery

So, the hack was underway, and any organization that downloaded their regularly scheduled SolarWinds update, would be compromised as soon as they did so. Now, it's perhaps not the most encouraging thing that of the 33,000 organizations that SolarWinds says use Orion software, only 18,000 actually downloaded their compromised update—that is to say, only a little over half of the Orion clients in total. But although those other fifteen thousand organizations' digital hygiene might not be totally up to snuff, it was the diligent, responsible users who got rewarded with some spicy bits of malware for their troubles.

So, who were the compromised organizations? We've gone through a few of them already, but it's worth focusing in on a few places you really don't want to be infiltrated by Russian hackers. On the government side, some very high-profile US targets got hit, including the National Nuclear Security Administration, the NSA, the National Finance Center, the National Institutes of Health, the Federal Aviation Administration, the Cybersecurity and Infrastructure Agency, and three thousand email accounts within the Department of Justice. In the European Union, six unnamed agencies were hacked; a small handful of UK organizations were targeted, and so was NATO's communication network. On the private-sector side, Equifax, Cisco, Microsoft, Nvidia, several cybersecurity organizations, and, of course, SolarWinds themselves all were infiltrated.

The good news in all this is that with so many organizations to hack, the hackers had to pick and choose which ones they actually accessed. We don't know how many people were involved in this operation, but we know it probably wasn't enough people to sustain multi-person hacking teams for each of their 18,000 victims at once, and it appears that only a handful of clients were actually hacked. The bad news is…well, we've only been naming the ones that were actually hacked, and if you're not sure quite how catastrophic that list of data breaches is, then you really should go back and give that list another read-through.

The hack went undetected for the better part of a year after SolarWinds started distributing its compromised updates, and while none of the organizations involved really explained what they'd individually had stolen or what other subsequent attacks were launched from inside, it's not hard to imagine just how much damage was probably done during this time. At this stage, it's likely that each organization probably knows most of what happened to it, even if we don't. But for months and months, suspected state-sponsored Russian hackers operated with impunity within these compromised systems, while cybersecurity experts from across the world were none the wiser.

The first inkling that something might be wrong, came from that cybersecurity firm we mentioned at the beginning: FireEye, which has since been bought up by another firm. FireEye announced on December 8, 2020, that they'd noticed something odd in their own systems. FireEye operated what's referred to as Red Teams—that is to say, hackers who infiltrate companies, but then report to those companies what they did and how they did it, so those companies can fix their issues before someone else exploits them. Basically, they're the good guys. But the tools FireEye's Red Teams used had been stolen, and FireEye, knowing pretty well what they were looking at, believed that the hackers who'd gotten their tools were state-sponsored.

Now, this kind of a breach at FireEye would have been bad enough. Their tools, in the wrong hands, could be used to attack computer systems around the world, and knowing the potential impact, they immediately hit up the FBI to come down and help out. The FBI, also knowing what they were looking at, passed the information straight over to their team that handles Russia-based cybercrime. But while the FBI was working on their side of things, FireEye kept working too, and they managed to trace back the route these hackers had used to infiltrate their system. By manually examining some fifty thousand lines of source code within Orion, they were able to isolate the malware that was responsible, and they understood immediately just how catastrophic the implications were.

This revelation put the whole world on notice, and within a few days, the US Treasury and Department of Commerce confirmed that they, too, had been breached. They brought in FireEye to see whether they could confirm a common exploit, and FireEye did just that. Eventually, the cybersecurity community was able to isolate the exact update versions of Orion that had been compromised, and several other companies were able to uncover far more about how and when the hack was carried out. With that information, companies and governments were able to close the backdoors into their system, and turn their attention to figuring out just how much damage had been done.

<!-- aeo:section end="the-discovery" -->
<!-- aeo:section start="the-impact" -->
## The Impact

There's a whole, long list of reasons why an individual organization wouldn't want to publicize what, exactly, they had compromised in the hack, so it'll suffice to say that a lot of the specific damage of the hack has still not been announced to the public. But the sheer scale and scope of the infiltration has gotten quite a bit of press, for good reason.

Because the Orion hack itself was just a way into a given system, every impacted organization had to hunt down information on exactly what had happened once hackers were inside. Data could be deleted, stolen, modified, exported, or fed to some other branch of Russian intelligence, while individual users could be impersonated or targeted directly. New malware could have been introduced, and the hackers themselves could have created other ways in and out, so that if the Orion backdoor was ever compromised, they could still access their systems at will. There was no telling who, or what, might be lurking in an individual network, and it's entirely likely that some of the impacted organizations probably still haven't found the hackers inside, even in 2023.

In response to the infiltration, many cybersecurity experts suggested that some organizations would have to rebuild their networks from scratch—quite literally wiping out everything that existed prior to the hack being exposed. Every login credential that might have been touched via SolarWinds would have to be reset, and IT teams would have to scan their network's files line-by-line to try and scrub out any other compromised bits. And they'd also have to be very careful about not losing anything more; after all, if a hacker was still inside, they could continue to steal or erase data at will.

As the impacted organizations started picking up the pieces, the world began to point fingers. The Russian government, unsurprisingly, categorically denied any involvement with the hack, but global government officials nearly unanimously agreed that Russia was responsible. The tactics were just too similar to what Russia had done in the past, the style was too reminiscent of how Russian hackers operated. Then-President Donald Trump, always super-helpful in a crisis, went quiet for six days after the hack was revealed, and then downplayed it and blamed China, but several high-ranking members of his own administration directly contradicted that claim. The rest of the world was in lock-step about who ultimately perpetrated the attack, and a total of ten Russian diplomats were eventually expelled from the US in retaliation, while sanctions were levied against another 38 companies and individuals.

But there was also the question of SolarWinds, whose hands were absolutely not clean in this whole thing. Now, SolarWinds controlled the highly valuable Orion tool, but there were also some other things about SolarWinds that made them particularly hackable. For example, in the modern day when this attack took place, SolarWinds did not have anyone on staff to be in charge of information security, and had no senior director to handle cybersecurity. That would be bad for any organization, of course, but when then-CEO Kevin Thompson is spending his time bragging about how his company monitors or manages just about every database in the world, it's frankly hard to imagine how such an oversight might have happened.

But to make matters worse, SolarWinds knew there were issues beforehand; online criminals have been selling access to SolarWinds' computers online since at least 2017, and according to a cybersecurity expert named Vinoth Kumar, SolarWinds had become aware an entire year before the hack that anyone, anywhere, could get into their update server with the simple password, "solarwinds123". Although these weren't the routes hackers used in this case, it's a clear indicator that SolarWinds had some really, really basic vulnerabilities, and were doing very little to address them. After the attack, SolarWinds got hit with a class-action lawsuit from its investors, and the company was lambasted for not making their software open-source, which would have allowed users to audit their technology and spot malware far earlier. Another scandal erupted when it was revealed that on December 7, 2020, just days before the hack came to light, not only did the SolarWinds CEO retire, but two firms that owned a combined 70% of SolarWinds sold massive amounts of their stock in the company, suggesting—allegedly—that someone—allegedly—might have known—allegedly—that something was coming. Allegedly.

However, it's important to also recognize the contributions of a wide range of cybersecurity experts, especially those working for FireEye, in making sure the incident didn't go further. From the perspective of the hackers, such brazen theft from FireEye was, in hindsight, a big mistake, since the deception probably could have gone on much longer if FireEye hadn't gotten involved. From a strategic perspective, it's worth pointing out that perhaps Russia did want the world to realize it had been hacked—more of a scare tactic than anything else—and might have hacked FireEye in order to get the ball rolling. But given the reach of the Orion hack, it's hard to see a big scare being worth the trade-off of losing basically unrestricted access to the entire world, so…take it with a grain of salt.

And even though we've focused so far on the organizations that were hacked, it's worth pointing out the ones that used SolarWinds software, but were lucky enough not to get directly caught up in this attack. According to SolarWinds, 425 of the Fortune 500 firms used their software, as did the entire US military, the Office of the President of the United States, and the entire top tier of the American telecommunications infrastructure—and all this, just discussing the American targets. With full, unrestricted access to SolarWinds, the hackers could have conceivably worked on exploiting more tools and more features, getting into any or all of those targets. By stealing from FireEye a little bit too enthusiastically, they lost themselves that opportunity, but we can't overstate just how much of a dodged bullet that really is.

It's impossible to nail down an exact dollar figure on how damaging this hack ultimately was, but according to at least one cybersecurity expert, a former NSA hacker named Jake Williams, the damage might ultimately be worth hundreds of billions of dollars. And with that much damage, and a nation-state believed to be directly responsible for coordinating and carrying out the attack, it raised one last, existential question: Was the SolarWinds hack an act of war?

The hack led to a prolonged discussion on exactly that question, at least within American circles. Some political and industry leaders claimed that the hack constituted a direct attack on the United States government, as real as any attack with tanks or bombs might have been. Others, though, suggested that since no physical infrastructure was damaged—no dams were opened, by example, and no nuclear reactors were caused to overload—that the attack should be regarded as an act of espionage. Deeply distressing, absolutely, but something that countries are doing to each other all the time, and definitely not something worth going to war over. Intelligence experts pointed out that they, too, would have launched the same kinds of attacks against Russia if they could, and we can only assume that they didn't want Washington to be carpet-bombed for their trouble. And there was one final sticking point, too—even though just about the entire world believed Russia was behind the attack, there was no conclusive piece of proof, or at least, none that the public knows about.

We feel okay with spoiling the ending here—that is to say, that the Western world did not undertake a military retaliation toward Russia after the attack took place. As it turns out, even hundreds of billions of dollars in damage isn't quite worth starting World War III. Instead, the world has chosen to learn from this incident, thank their lucky stars it didn't get worse, and re-double their efforts, laying down defenses for the inevitable future attacks that will make SolarWinds look like childs play.

<!-- aeo:section end="the-impact" -->
<!-- aeo:section start="key-takeaways" -->
## Key Takeaways

- The SolarWinds hack, discovered in December 2020, compromised numerous high-profile organizations, including US government departments and major tech companies.
- Russian government-backed hackers exploited SolarWinds' Orion software, using a supply-chain attack to infiltrate thousands of organizations.
- The hackers used sophisticated malware called SUNBURST to create backdoors, allowing them to access sensitive information and control systems.
- The discovery of the hack was facilitated by FireEye, a cybersecurity firm whose own tools were stolen by the hackers.
- The SolarWinds hack raised significant concerns about cybersecurity and the potential for cyber warfare, leading to international sanctions and increased cyber defenses.

<!-- aeo:section end="key-takeaways" -->
<!-- aeo:section start="frequently-asked-questions" -->
## Frequently Asked Questions

### What was the SolarWinds hack?

The SolarWinds hack was a cyberattack that infiltrated various high-level institutions, including the US Treasury, the US Department of Commerce, NATO, the UK government, Microsoft, and several federal departments of the United States government. The attack was carried out by Russian government and sub-governmental hackers who exploited software known as Orion, produced by SolarWinds.

### How did the hackers gain access to the systems?

The hackers gained access by exploiting a flaw in Microsoft's Cloud services, which allowed them to see usernames and passwords. They then bypassed Microsoft's multi-factor authentication tools and infiltrated SolarWinds' Microsoft Office 365 account, giving them access to major sections of the SolarWinds network. They inserted malware called SUNBURST into the Orion software updates, creating a backdoor for unauthorized access.

### What was the impact of the SolarWinds hack?

The impact was profound, with potential damage estimated in the hundreds of billions of dollars. The hack allowed unauthorized access to sensitive information, emails, confidential documents, and more. It led to a prolonged discussion on whether it constituted an act of war, but no military retaliation was undertaken.

### Who were the perpetrators of the SolarWinds hack?

The perpetrators were Russian government and sub-governmental hackers, specifically the hacking groups Berserk Bear and Cozy Bear. These groups are known for targeting utilities infrastructure and government organizations, respectively.

### How was the SolarWinds hack discovered?

The hack was discovered by the cybersecurity firm FireEye, which noticed unusual activity in their own systems. FireEye traced the route the hackers used and isolated the malware responsible, leading to the identification of the compromised Orion updates. This revelation prompted other affected organizations to take action.

### What organizations were affected by the SolarWinds hack?

Affected organizations included the US Treasury, the US Department of Commerce, NATO, the UK government, Microsoft, the Parliament of the European Union, and eleven executive departments of the federal United States government. Additionally, several private-sector companies like Equifax, Cisco, and Nvidia were also infiltrated.

### What was the role of FireEye in the SolarWinds hack?

FireEye played a crucial role in discovering the hack. They noticed that their own tools had been stolen and traced the route the hackers used. By examining the Orion software, they isolated the malware and alerted other organizations, leading to the identification and mitigation of the hack.

### What was the response of the US government to the SolarWinds hack?

The US government expelled ten Russian diplomats and levied sanctions against 38 companies and individuals. There was a prolonged discussion on whether the hack constituted an act of war, but no military retaliation was undertaken. The focus was on learning from the incident and strengthening defenses against future attacks.

### What was the role of SolarWinds in the hack?

SolarWinds was the creator of the Orion software that was hacked. The company did not have a senior director in charge of information security and was aware of vulnerabilities in their systems, including weak passwords. They faced a class-action lawsuit and criticism for not making their software open-source.

### What was the SUNBURST malware?

SUNBURST was a type of malware inserted into the Orion software updates by the hackers. It created a backdoor for unauthorized access, allowing the hackers to see emails, confidential documents, and other sensitive information. The malware was designed to wait fourteen days before becoming active, making it difficult to detect.

<!-- aeo:section end="frequently-asked-questions" -->
<!-- aeo:section start="sources" -->
## Sources

- [Original Into the Shadows video: The Most Devastating Hack in History...](https://www.youtube.com/watch?v=POj8g8XfAAA)
- [https://www.trentonsystems.com/blog/solarwinds-hack-overview-prevention](https://www.trentonsystems.com/blog/solarwinds-hack-overview-prevention)
- [https://therecord.media/solarwinds-hack-affected-six-eu-agencies](https://therecord.media/solarwinds-hack-affected-six-eu-agencies)
- [https://www.newsweek.com/nato-assessing-damage-solarwinds-hack-canada-issues-alert-1554964](https://www.newsweek.com/nato-assessing-damage-solarwinds-hack-canada-issues-alert-1554964)
- [https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html](https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html)
- [https://www.newsweek.com/solarwinds-russia-hack-cyberattack-fireeye-software-malware-backdoor-cybersecurity-1554730](https://www.newsweek.com/solarwinds-russia-hack-cyberattack-fireeye-software-malware-backdoor-cybersecurity-1554730)
- [https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/](https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/)
- [https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive-idUSKBN2A22K8](https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive-idUSKBN2A22K8)
- [https://www.securityweek.com/class-action-lawsuit-filed-against-solarwinds-over-hack/](https://www.securityweek.com/class-action-lawsuit-filed-against-solarwinds-over-hack/)
- [https://www.fox10phoenix.com/news/us-retaliates-against-russian-hacking-by-expelling-diplomats-imposing-new-sanctions](https://www.fox10phoenix.com/news/us-retaliates-against-russian-hacking-by-expelling-diplomats-imposing-new-sanctions)
- [https://www.marketwatch.com/story/solarwinds-falls-under-scrutiny-after-hack-stock-sales-01608166019](https://www.marketwatch.com/story/solarwinds-falls-under-scrutiny-after-hack-stock-sales-01608166019)
- [https://www.theregister.com/2020/12/16/solarwinds_stock_sale/](https://www.theregister.com/2020/12/16/solarwinds_stock_sale/)
- [https://www.timesofisrael.com/hackers-backed-by-foreign-government-reportedly-steal-info-from-us-treasury/](https://www.timesofisrael.com/hackers-backed-by-foreign-government-reportedly-steal-info-from-us-treasury/)
- [https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor](https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor)
- [https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html](https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html)
- [https://www.nytimes.com/2020/12/16/us/politics/russia-hack-putin-trump-biden.html](https://www.nytimes.com/2020/12/16/us/politics/russia-hack-putin-trump-biden.html)
- [https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8](https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8)
- [https://threatpost.com/solarwinds-default-password-access-sales/162327/](https://threatpost.com/solarwinds-default-password-access-sales/162327/)
- [https://itwire.com/business-it-news/security/solarwinds-ftp-credentials-were-leaking-on-github-in-november-2019.html](https://itwire.com/business-it-news/security/solarwinds-ftp-credentials-were-leaking-on-github-in-november-2019.html)
- [https://www.theregister.com/2020/12/16/solarwinds_github_password/](https://www.theregister.com/2020/12/16/solarwinds_github_password/)
- [https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know](https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know)
- [https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack](https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack)
- [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12](https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12)
- [https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic](https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic)
- [https://www.wired.com/story/solarwinds-hack-supply-chain-threats-improvements/](https://www.wired.com/story/solarwinds-hack-supply-chain-threats-improvements/)
- [https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack](https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack)
- [https://cybernews.com/security/solarwinds-hack-the-mystery-of-one-of-the-biggest-cyberattacks-ever/](https://cybernews.com/security/solarwinds-hack-the-mystery-of-one-of-the-biggest-cyberattacks-ever/)
- [https://www.reuters.com/article/us-cyber-solarwinds-microsoft/solarwinds-hack-was-largest-and-most-sophisticated-attack-ever-microsoft-president-idUSKBN2AF03R](https://www.reuters.com/article/us-cyber-solarwinds-microsoft/solarwinds-hack-was-largest-and-most-sophisticated-attack-ever-microsoft-president-idUSKBN2AF03R)
- [https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/](https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/)
- [https://medium.com/cloud-security/solarwinds-hack-retrospective-322f03b4eb9b](https://medium.com/cloud-security/solarwinds-hack-retrospective-322f03b4eb9b)
- [Hero image source](https://upload.wikimedia.org/wikipedia/commons/1/18/Manila_Central_Post_Office_after_fire_2023-06-11.jpg) by LMP 2001 / openverse, by-sa.

<!-- aeo:section end="sources" -->
<!-- aeo:section start="related-coverage" -->
## Related Coverage
<!-- aeo:section end="related-coverage" -->