Skip to content
Back to all chronicles
Nation-State & Cyberwar#nation-state#supply-chain#svr

SolarWinds: The Backdoor Hidden in a Routine Update

SolarWinds shipped a trojanized Orion update that planted the Sunburst backdoor on 18,000 networks, letting Russia's SVR breach US agencies.

Cyber Chronicle2 min read

SolarWinds is the kind of company that exists largely below the public's notice: a Texas vendor of network management tools used by Fortune 500s, federal departments, and tens of thousands of administrators who keep server farms alive.

Patching the wrong thing

In late 2020, Mandiant — investigating its own breach — found that the malicious code had arrived through a routine update to a SolarWinds product called Orion. The build pipeline itself had been compromised. Every customer who applied the signed update received a quiet backdoor, branded internally as Sunburst, embedded in a legitimate-looking DLL.

About 18,000 organizations downloaded the trojanized build. The attackers, later attributed to Russia's SVR, picked roughly a hundred to actually exploit — among them parts of the US Treasury, Commerce, Homeland Security, Justice, and Energy departments, plus Microsoft, Mandiant, and major telecoms.

A quiet long campaign

The operators had been inside SolarWinds' development environment for months before the trojan shipped. They were patient. They studied the build process, inserted code that only activated under specific conditions, and used infrastructure designed to look like normal Orion telemetry.

What the chronicle remembers

SolarWinds reframed "trust" in software. Code signing, automatic updates, vendor attestations — the entire scaffold of modern software distribution turned out to be exactly as strong as the weakest build server in the chain. It remains the defining supply-chain attack of the era. Every CISO in the country spent the following year drawing supply-chain diagrams they should arguably have already had.

Related chronicles