A year ago today, the security firm FireEye made an announcement that was as surprising as it was alarming. Sophisticated hackers had silently slipped into the company’s network, carefully tailoring their attack to evade the company’s defenses. It was a thread that would unspool into what is now known as the SolarWinds hack, a Russian espionage campaign that resulted in the compromise of countless victims.
To say the SolarWinds attack was a wake-up call would be an understatement. It laid bare how extensive the fallout can be from so-called supply chain attacks, when attackers compromise widely used software at the source, in turn giving them the ability to infect anyone who uses it. In this case, it meant that Russian intelligence had potential access to as many as 18,000 SolarWinds customers. They ultimately broke into fewer than 100 choice networks—including those of Fortune 500 companies like Microsoft and the US Justice Department, State Department, and NASA.
Supply chain attacks aren’t new. But the magnitude of the SolarWinds crisis significantly raised awareness, sparking a year of frantic investment in security improvements across the tech industry and US government.
“If I don’t get a call on December 12, I’ll consider that a success,” says SolarWinds president and CEO Sudhakar Ramakrishna. On that date a year ago, SolarWinds itself learned that Orion, its IT management tool, was the source of the FireEye intrusion—and what would ultimately become dozens more. Ramakrishna did not yet work at SolarWinds, but he was slated to join on January 4, 2021.
While this week marks the one-year anniversary of cascading discoveries around the SolarWinds hack, the incident actually dates back as early as March 2020. Russia’s APT 29 hackers—also known as Cozy Bear, UNC2452, and Nobelium—spent months laying the groundwork. But that very dissonance illustrates the nature of software supply chain threats. The hardest part of the job is upfront. If the staging phase is successful, they can flip a switch and simultaneously gain access to many victim networks at once, all with trusted software that seems legitimate.
Across the security industry, practitioners universally told WIRED that the SolarWinds hack—also called the Sunburst hack, after the backdoor malware distributed through Orion—has meaningfully expanded understanding about the need for transparency and insight into the provenance and integrity of software. There had certainly been other impactful software supply chain attacks before December 2020, like the compromise of computer cleanup tool CCleaner and Russia’s infamous distribution of the destructive NotPetya malware through the Ukrainian accounting software MEDoc. But for the US government and tech industry, the new campaign hit especially close to home.
“It definitely was a turning point,” says Eric Brewer, Google’s vice president of Cloud Infrastructure. “Before I would explain to people that the industry has a challenge here, we need to deal with it. And I think there was some understanding, but it wasn’t very highly prioritized. Attacks people haven’t seen directly are just abstract. But post-SolarWinds that message resonated in a different way.”
That awareness has also begun to translate into action, including building out the software equivalent of ingredient lists and ways to better monitor code. But it’s slow work; the supply chain problem requires as many solutions as there are types of software development.