SolarWinds: When the Trusted Update Was the Attack
Attackers did not break into thousands of networks one by one. They compromised a single software vendor's build process and let the trusted updates carry the backdoor in. A breakdown of the SolarWinds supply chain attack.
Imagine you are the head of security at a large organisation. You have done everything right. Firewalls, strong passwords, staff training, careful patching. One quiet afternoon a routine notification appears: your network monitoring software has an update available, signed and delivered by the vendor you have trusted for years. You click install, just as you have a hundred times before. And with that single click, you personally invite an intruder into your network. That is the cold genius of the SolarWinds attack. Most attacks kick in the front door. This one poisoned the well upstream, so that thousands of organisations installed the backdoor themselves, through a signed update they had every reason to trust. It reshaped how the industry thinks about supply chain risk. This is what happened and why it mattered.
Credit and scope
The intrusion was discovered and first reported by the security firm FireEye (Mandiant) in December 2020. The operation was later attributed by the US government to Russia's SVR intelligence service. This is a defensive explainer of the technique, not original research.
First, what is a supply chain attack?
Before the details, let us pin down the phrase, because everything hangs on it. In the physical world, a supply chain is every step that gets a product to you: raw materials, factories, warehouses, delivery trucks. If someone tampers with the product at the factory, every shop that sells it and every customer who buys it receives the tampered version, no matter how careful the shop or the customer is.
Software has a supply chain too. Code is written, then compiled (turned from human readable text into a program the computer runs), then packaged, signed, and shipped out as an update. A software supply chain attack means tampering with the product somewhere along that path, at the source, rather than attacking each customer one by one. The attacker corrupts the well that everyone drinks from.
The idea: attack the source, not the targets
SolarWinds is a company that makes Orion, a widely used network management platform. Network management software sits deep inside a network with broad visibility and access, because its whole job is to watch and manage everything else. Orion ran inside the networks of governments and large companies precisely because it is trusted to see a lot.
Rather than attacking those networks directly, which would have meant thousands of separate break ins, the attackers compromised SolarWinds' own build pipeline. A build pipeline is the automated assembly line that takes source code and turns it into the finished, packaged update customers download. Think of it as the factory floor for software.
They quietly inserted malicious code, later named SUNBURST, into the Orion source as it was being built. Because the malicious code was injected during the build itself, the result was a genuine, correctly signed update from SolarWinds that also happened to contain a backdoor. A backdoor is a hidden way in that bypasses the normal login and controls, like a secret tunnel dug under the front gate.
Attacker compromises the BUILD system
-> backdoor is baked into the official Orion update
-> SolarWinds signs and ships it as normal
-> ~18,000 customers install the trusted update
-> the attacker now has a foothold inside all of themThe scale is worth pausing on. Somewhere around eighteen thousand customers received the tampered update. Not all of them were exploited further, but every one of them had opened the door. A single compromise of one factory floor reached deep into thousands of organisations at once. That leverage, one break in producing thousands of footholds, is what makes supply chain attacks so attractive to well resourced attackers.
Why trust was the weapon
Everything about the update looked legitimate, because it was legitimate, just tampered with at the source. It came from the real vendor, over the real update channel, with a valid signature. Every check an organisation normally relies on said "this is fine".
To understand why that is so devastating, you need to understand code signing. When a vendor releases software, they attach a cryptographic signature, a kind of tamper evident seal. Your computer checks the seal and confirms two things: that the software really came from that vendor, and that nobody altered it after the vendor sealed it. It is like a wax seal on a letter, proving both who sent it and that it was not opened in transit.
Here is the fatal twist. The attackers made their change before the seal was applied. The build pipeline compiled the poisoned code and then, as part of its normal automated routine, stamped the trusted SolarWinds seal onto it. The seal was completely genuine. It was honestly vouching for a dishonest package.
The signature was real
Code signing is supposed to prove an update is genuine and untampered. Here the tampering happened before signing, so the malicious build was signed as authentic. That is the heart of a supply chain attack: it subverts the very trust that security depends on.
Then came the patient part, and it is what marks this out as the work of an advanced persistent threat, or APT, meaning a well funded and highly disciplined attacker who plays a long game rather than grabbing what they can and running. The backdoor did not fire on everyone. After installation it lay dormant for roughly two weeks, long enough to blend in with normal behaviour and avoid looking like something that appeared the moment the update landed. It then quietly checked in and waited for instructions. From the enormous pool of infected organisations, the attackers hand picked the high value targets, government agencies and major firms, for deeper, hands on intrusion, and left the rest untouched. Careful, targeted, and very hard to spot.
How the backdoor stayed hidden
Part of what kept SUNBURST quiet for so long was how ordinary it tried to appear. A few of its techniques are worth understanding, because they show why simple checks failed.
- It blended into normal traffic. The backdoor disguised its communications to look like Orion's own legitimate network chatter, so a defender glancing at the traffic saw nothing out of place.
- It waited before acting. By staying dormant for a couple of weeks, it broke the obvious link between "we installed an update" and "strange things started happening".
- It checked its surroundings. The code looked for signs it was being examined, such as security analysis tools, and would stay silent if it thought it was being watched.
None of these are exotic. Together they bought the operation many months of quiet access before anyone noticed.
Signed does not mean safe
A valid signature answers "did this come unaltered from the vendor", not "is the vendor's own build process trustworthy". Treat the two as separate questions. A perfect signature on a compromised build is exactly what SolarWinds produced.
What it taught the industry
SolarWinds, alongside events like Log4Shell, pushed supply chain security from a niche worry to a board level concern. A few lessons landed especially hard.
- You inherit your suppliers' security. Every vendor whose software runs in your network is part of your attack surface, whether you audit them or not. Their weakest day becomes your weakest day.
- Build pipeline integrity is critical. If an attacker can alter what gets built and signed, no downstream check will catch it. Securing the pipeline itself, with tight access, monitoring, and verification of what actually gets compiled, became a priority.
- A software bill of materials matters. A software bill of materials, often shortened to SBOM, is simply an itemised list of every component and version inside a piece of software, like the ingredients label on food packaging. Knowing exactly what you run is what lets you answer "are we affected" in hours rather than weeks when a component turns out to be compromised.
- Assume breach and watch behaviour. "Assume breach" means designing as though an attacker is already inside, rather than trusting that your walls held. The intrusion was ultimately caught by noticing anomalous behaviour, not by a signature check. Monitoring what software actually does, not just whether it is signed, is essential.
This model did not go away
SolarWinds was not a one off curiosity. The same shape, compromise a trusted upstream and let it distribute for you, has recurred in package repositories, developer tools, and update mechanisms since. Treat build systems and vendor trust as first class parts of your threat model, not an afterthought.
The takeaway
SolarWinds worked by compromising a trusted vendor's build process so that thousands of organisations installed a signed, legitimate looking update that carried a backdoor. It weaponised trust itself, which is what makes supply chain attacks so dangerous and so hard to prevent with ordinary checks, because every ordinary check said the update was fine, and technically it was right. The response is to secure build pipelines, know your software components with something like an SBOM, and watch for anomalous behaviour rather than resting on a valid signature, because the update that looks most trustworthy is exactly the one an attacker wants to ride in on.