The SolarWinds hack timeline: Who knew what, and when?

Details of the 2020 SolarWinds attack continue to unfold, and it may be years before the final damages can be tallied.

While it is “hard to say” if the SolarWinds software supply-chain compromise will become known as the highest-impact cyber intrusion ever, it did catch “many people off guard” despite the security industry’s frequent warnings that supply chains pose substantial risks, according to Eric Parizo, principal analyst of security operations at Omdia, a global research firm.

The SolarWinds attack is unprecedented because of “its capability to cause significant physical consequences,” says University of Richmond management professor Shital Thekdi, an expert on risk management and industrial and operations engineering. The attack “impacted critical infrastructure providers, potentially impacting energy and manufacturing capacities,” she said, and created an ongoing intrusion that “should be treated as a serious event with potential for great harm.”

Following is a timeline of how events related to the SolarWinds hack have unfolded, to date.

SolarWinds hack timeline (last updated March 28, 2021)

December 8, 2020 How the discovery began — FireEye, a prominent cybersecurity firm, announced they were a victim to a nation-state attack. The security team reported their Red Team toolkit, containing applications used by ethical hackers in penetration tests, was stolen.

December 13, 2020 Initial detection — FireEye discovered a supply chain attack while it was investigating the nation-state attack on its own Red Team toolkit.  The researchers stumbled across evidence that attackers entered a backdoor in the SolarWinds software “trojanizing SolarWinds Orion business software updates to distribute malware.” FireEye dubbed it “SUNBURST.”

December 13, 2020 CISA issues emergency directive — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise” instructing affected government agencies to take several steps for forensic investigative purposes and “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.”

December 14, 2020  The Washington Post published a report attributing the attack to Russian hacker group known as Cozy Bear, connected to the Russian foreign intelligence service, the SVR.

December 15, 2020 Victims named and timeline moves back — Wall Street Journal reported that the U.S. Commerce and Treasury Departments, the Department of Homeland Security (DHS), the National Institutes of Health, and the State Department were all affected. Various security officials and vendors expressed serious dismay that the attack was more widespread and began much earlier than expected. The initial attack date was now pegged to sometime in March 2020, which meant the attack had been underway for months before its detection.

More technical details also began to emerge, illustrating how well the malicious activity was covered and why it was hard to detect.

December 17, 2020 New victims revealed — The Energy Department (DOE) and National Nuclear Security Administration (NNSA), which maintains the U.S. nuclear weapons stockpile, were publicly named as victims of the attack.

December 19, 2020 200 more victims listed — Recorded Future, a cybersecurity firm, identified an additional list of government agencies and companies around the world that had also been attacked, but did not publicly reveal their identities.

Using Twitter for his first comments on the attack, then-U.S. President Donald Trump publicly suggested that China, not Russia, was the source, and also described the hack as a hoax. U.S.  Secretary of State Mike Pompeo and other senior members of the administration disputed these claims the same day, stating that “we can say pretty clearly that it was the Russians that engaged in this activity.”

December 31, 2020 Microsoft says the Russian attackers breached some of its source code — The software giant said that the attackers could not modify code, products, or email and they did not use Microsoft goods to attack other victims. By this point, the attacks are largely thought to “have begun as far back as October 2019…when hackers breached the Texas company SolarWinds.”

January 5, 2021 Joint statement by FBI, CISA, ODNI, and NSA released — The Federal Bureau of Investigations (FBI), CISA, The office of the National Director of Intelligence (ODNI), and the National Security Agency (NSA), jointly released a statement on the formation of the Cyber Unified Coordination Group, which “indicates that an advanced persistent threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort.”

January 6, 2021 CISA issues supplemental guidance — CISA’s supplemental guidance required US government agencies that ran affected versions of SolarWinds Orion conduct forensic analysis; those that accept the risk of running the software comply with certain hardening requirements, and new reporting requirements by agency from department-level CIOs. The deadlines for the agency CIO reports were Tuesday, January 19, and Monday, January 25, 2021.

January 27, 2021 CISA releases a report on Supernova,  the malware “that was deployed using a vulnerability in the Orion Platform, and after the Orion Platform had been installed.”

January 29, 2021 SolarWinds issues an advisory for both Sunburst and Supernova.

February 19, 2021 Biden Administration declares intent to punish Russia for SolarWinds attack — Jake Sullivan, national security advisor, told CNN’s Christiane Amanpour that President Joe Biden’s administration would look at a “broad range of responses” after an investigation to further pinpoint the identities of the attackers.

February 23, 2021 First Congressional hearing — Microsoft and FireEye testified before the Senate Intelligence Committee on the SolarWinds attacks. A transcript and a video of the hearing is available on C-Span. Microsoft President Brad Smith said its “researchers believed at least 1,000 very skilled, very capable engineers worked on the SolarWinds hack. This is the largest and most sophisticated sort of operation that we have seen,” Smith told senators. All defended their own actions before and after the attacks, and all fingers pointed at Russia as the attacker.

February 26, 2021 Second Congressional hearing — The U.S. House Committee on Oversight and Reform and the House Committee on Homeland Security held a joint hearing “examining recent cybersecurity incidents affecting government and private sector networks, including the supply chain attack targeting SolarWinds Orion Software and other cyberattacks.  On December 17, the Committees launched an investigation into the cyberattacks.  On December 18, the Unified Coordination Group provided a classified Member briefing by telephone about the attacks.”

February 24, 2021 SolarWinds issues a FAQ: Security Advisory. This advisory offered further guidance to SolarWinds customers on how to tell if they were affected, what steps to take, and answers to related questions.

March 15, 2021 A Public Affairs spokesperson in the National Press Office of the FBI answered “no comment” to CSOonline.com’s questions on the current status of the SolarWinds attacks, stating that “the investigation is ongoing.”

March 28, 2020  Reports state DHS, cybersecurity leaders’ emails compromised — The Associated Press reported that the SolarWinds hackers “gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries.”

What now? What next?

While the country and the world waits for the final measure of the costs and scale of the SolarWinds attack, it is clear to all that the impact continues.

“There are a multitude of reasons why there could still be vulnerable systems out there or with the vulnerable systems patched an attacker could have pivoted and maintained persistence without the company knowing. Some SolarWinds customers may still be unaware that they have SolarWinds on their network. Maybe the staff that installed it isn’t employed there anymore or maybe key personnel didn’t hear the news or the company doesn’t have the tools to detect it,” warns Amanda Berlin, a security consultant and co-author of the Defensive Security Handbook. “So many environments have limited visibility into what is happening that they may never know until something goes wrong.”

In any case, the future implications are considered grim if lessons learned from this are not acted upon.

“From a long-term perspective, enterprises should not only ensure they have a data exfiltration prevention program, assuming all other defenses fail, but also seek to develop a ‘cyber kill chain’ for supply-chain compromises, creating as many opportunities as possible to prevent, disrupt, or at least quickly detect them,” said Omdia analyst Parizo.

“This should include software risk management best practices, such as NIST’s Cyber Supply Chain Risk Management (C-SCRM), and establishing a baseline set of software security requirements that must be met by any software vendor prior to a purchase,” Parizo added.