Solarwinds Orion

Incident Summary

SolarWinds Orion updates delivered widespread backdoors.

Attackers compromised SolarWinds' build system and inserted the Sunburst backdoor into signed Orion platform updates, reaching roughly 18,000 customers through trusted software. The operation opened access into U.S. federal agencies, security firms, and major enterprises, becoming one of the defining modern supply-chain intrusions. Supernova appeared as a related secondary backdoor in the same operational orbit.

Date: 2019-09-04 to 2020-12-14
Category: Commercial
Target Surface: Build/CI
Insertion Phase: CI/CD
Impact: Backdoor
Cause: Build system compromise

What Was Affected

Package Solarwinds Orion

LanguageC#

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain solarwinds.com

Compromised Versions

Orion Platform 2019.4 HF5 (version 2019.4.5200.9083)
Orion Platform 2020.2 RC1 (version 2020.2.100.12219)
Orion Platform 2020.2 RC2 (version 2020.2.5200.12394)
Orion Platform 2020.2 HF1 (version 2020.2.5300.12432)

Incident Context

Motive: Espionage
Attribution: Nation-state
Transitive: No
User Impact: 18000
Observed Duration: 467 days

Evidence

Compromised Artifacts

Current Artifacts and Analysis

github.com/mandiant/sunburst_countermeasures
virustotal.com/gui/file/32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
malware-research.org/solarwinds-sunburst-backdoor-forensic-analysis
netresec.com
See CISA (AA20-352A), Mandiant, and Microsoft references for full IoC lists, including C2 domains/IPs.

Indicators and Changes

Hashes

sha256:32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
sha256:019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
sha256:ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
sha256:dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
md5:b91ce2fa41029f6955bff20079468448