Full Text

Details of the 2020 SolarWinds attack continue to unfold, and it may be years before the final damages can be tallied.

While it is “hard to say” if the SolarWinds software supply-chain compromise will become known as the highest-impact cyber intrusion ever, it did catch “many people off guard” despite the security industry’s frequent warnings that supply chains pose substantial risks, according to Eric Parizo, principal analyst of security operations at Omdia, a global research firm.

The SolarWinds attack is unprecedented because of "its capability to cause significant physical consequences," says University of Richmond management professor Shital Thekdi, an expert on risk management and industrial and operations engineering. The attack "impacted critical infrastructure providers, potentially impacting energy and manufacturing capacities,” she said, and created an ongoing intrusion that “should be treated as a serious event with potential for great harm.”

Following is a timeline of how events related to the SolarWinds hack have unfolded, to date.

SolarWinds hack timeline (last updated March 28, 2021)

December 8, 2020 How the discovery began — FireEye, a prominent cybersecurity firm, announced they were a victim to a nation-state attack. The security team reported their Red Team toolkit, containing applications used by ethical hackers in penetration tests, was stolen.

December 13, 2020 Initial detection — FireEye discovered a supply chain attack while it was investigating the nation-state attack on its own Red Team toolkit. The researchers stumbled across evidence that attackers entered a backdoor in the SolarWinds software “trojanizing SolarWinds Orion business software updates to distribute malware.” FireEye dubbed it “SUNBURST.”

December 13, 2020 CISA issues emergency directive — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise” instructing affected government agencies to take several steps for forensic investigative purposes and “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.”

December 14, 2020 The Washington Post published a report attributing the attack to Russian hacker group known as Cozy Bear, connected to the Russian foreign intelligence service, the SVR.

December 15, 2020 Victims named and timeline moves back — Wall Street Journal reported that the...