SolarWinds / Sunburst
An intelligence service smuggled a backdoor into a routine network-monitoring update and reached 18,000 networks at once.
SolarWinds is the kind of company that exists largely below the public's notice: a Texas vendor of network management tools used by Fortune 500s, federal departments, and tens of thousands of administrators who keep server farms alive.
Patching the wrong thing
In late 2020, Mandiant — investigating its own breach — found that the malicious code had arrived through a routine update to a SolarWinds product called Orion. The build pipeline itself had been compromised. Every customer who applied the signed update received a quiet backdoor, branded internally as Sunburst, embedded in a legitimate-looking DLL.
About 18,000 organizations downloaded the trojanized build. The attackers, later attributed to Russia's SVR, picked roughly a hundred to actually exploit — among them parts of the US Treasury, Commerce, Homeland Security, Justice, and Energy departments, plus Microsoft, Mandiant, and major telecoms.
A quiet long campaign
The operators had been inside SolarWinds' development environment for months before the trojan shipped. They were patient. They studied the build process, inserted code that only activated under specific conditions, and used infrastructure designed to look like normal Orion telemetry.
What the chronicle remembers
SolarWinds reframed "trust" in software. Code signing, automatic updates, vendor attestations — the entire scaffold of modern software distribution turned out to be exactly as strong as the weakest build server in the chain. Every CISO in the country spent the following year drawing supply-chain diagrams they should arguably have already had.