What is SolarWinds and what does the Orion platform do?

SolarWinds is a software development company based in Austin, Texas, known for its Orion platform, which centralizes monitoring of multiple technology areas for enterprises. Orion ingests and correlates large amounts of data from various company technology sets, providing administrators with comprehensive performance and planning information. Because of its access to sensitive data, Orion is typically tightly controlled within organizations.

How did the SolarWinds attack happen?

The SolarWinds attack occurred when threat actors compromised SolarWinds' networks, likely by taking over a digital identity certificate. This allowed them to forge identities and access internal systems, including the platform used to distribute Orion software updates. Attackers inserted malicious code into updates, which were then distributed to Orion users, resulting in a widespread supply-chain attack.

What is a supply-chain attack and how did it affect SolarWinds customers?

A supply-chain attack targets a vendor or service provider to compromise its customers indirectly. In the SolarWinds case, attackers inserted malicious code into Orion software updates, which were then unknowingly installed by thousands of organizations, exposing them to further threat activity.

What was the SUNBURST malware and how did it operate?

SUNBURST was the name given to the malicious code inserted into Orion updates. Once installed, it notified attackers of successful compromise and allowed remote access to the Orion system, while using advanced techniques to avoid detection. It could remain undetected for months, giving attackers significant intelligence and control over affected organizations.

Who was behind the SolarWinds attack?

According to ZDNet and other sources, the attack is believed to have been carried out by a Russian nation-state Advanced Persistent Threat (APT) group, with APT39 being the most likely suspect based on unofficial reporting. The sophistication and scale of the attack support the theory of state-sponsored involvement.

How long did the SolarWinds compromise go undetected?

The SUNBURST malware is believed to have been present in Orion updates as early as March 2020, meaning some organizations may have been compromised for over six months before the attack was discovered—a significant duration in cybersecurity terms.

Could a supply-chain attack like SolarWinds happen again?

While supply-chain attacks do occur, an attack of the scale and sophistication seen in the SolarWinds incident is extremely rare. Such attacks require significant resources, talent, and time, making them uncommon, especially against large enterprise vendors with robust security controls.

What steps did Microsoft and Google take in response to SUNBURST?

Microsoft and Google, as part of an industry consortium, took control of the key domain (avsvmcloud[.]com) used by SUNBURST for command and control. This action prevented new infections from activating, though already activated instances may still pose risks. Ongoing investigations continue to assess the full impact.

What should organizations running SolarWinds Orion do after the attack?

Organizations using SolarWinds Orion are advised to temporarily shut down the platform until a full analysis can be performed. They should contact SolarWinds and Microsoft to determine if their installation is on the list of known activated SUNBURST infections and treat any potentially compromised systems with caution.

How can organizations defend against supply-chain and watering hole attacks?

Defending against supply-chain and watering hole attacks is challenging since the initial compromise targets a vendor, not the organization itself. Best practices include careful vendor management, ensuring third-party providers maintain strong cybersecurity hygiene, and continuously monitoring networks for unusual activity. Using continuously updated testing tools, like Cymulate, helps organizations quickly assess their exposure to new threats.

What is a watering hole attack and how does it relate to SolarWinds?

A watering hole attack targets a commonly used resource (like a software update server) to compromise multiple organizations indirectly. The SolarWinds attack is sometimes described as a watering hole attack because attackers poisoned a common software update, affecting all organizations that downloaded it.

How does Cymulate help organizations respond to threats like SUNBURST?

Cymulate provides Immediate Threats Intelligence simulations for SUNBURST and other advanced attack methodologies. While such tools cannot prevent unknown attacks, they enable organizations to quickly test for susceptibility to known threats and take action to mitigate risks as soon as new attack techniques are discovered.

What are the key takeaways from the SolarWinds attack?

The SolarWinds attack demonstrates the difficulty of defending against sophisticated supply-chain attacks, especially those involving nation-state actors. It highlights the importance of continuous security testing, vendor management, and rapid response to emerging threats. Organizations should use tools like Cymulate to validate their defenses against the latest attack techniques.

How does Cymulate empower organizations to improve their security posture?

Cymulate empowers organizations by providing continuous assessment and validation of their security posture through threat simulation and comprehensive security assessments. This enables organizations to stay ahead of cyber threats and respond effectively to new attack techniques.

What is the role of continuous testing in defending against advanced threats?

Continuous testing allows organizations to regularly assess their defenses against the latest threats, ensuring that new vulnerabilities and attack techniques are quickly identified and addressed. Tools like Cymulate provide up-to-date simulations to help organizations validate their exposure and resilience.

How can organizations determine if they were affected by the SolarWinds attack?

Organizations should contact SolarWinds and Microsoft to check if their Orion installation is on the list of known activated SUNBURST infections. They should also use security tools to scan for indicators of compromise and monitor for unusual activity.

What is the difference between a supply-chain attack and a watering hole attack?

Both attack types target multiple organizations indirectly. A supply-chain attack compromises a vendor to reach its customers, while a watering hole attack compromises a commonly used resource (like a website or update server) to infect users. The SolarWinds attack is an example of both, as it targeted a software update used by many organizations.

How does Cymulate keep its threat simulations up to date?

Cymulate continuously updates its threat simulation library with the latest attack techniques and intelligence, including immediate simulations for newly discovered threats like SUNBURST. This ensures organizations can test their defenses against current risks.

Where can I learn more about defending against lateral movement and supply-chain attacks?

You can read Cymulate's blog post 'Stopping Attackers in Their Tracks' for strategies to prevent lateral movement attacks, and explore the Resource Hub for whitepapers and webinars on defending against supply-chain threats. Read the blog post .

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily.

How does Cymulate integrate with other security tools?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page .

How easy is it to implement and start using Cymulate?

Cymulate is designed for quick and easy implementation, operating in agentless mode without the need for additional hardware or complex configurations. Customers can start running simulations almost immediately, with comprehensive support and educational resources available to help optimize use of the platform.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and actionable insights. Testimonials highlight its ease of implementation, practical dashboards, and accessible support, making it suitable for users of all skill levels. For example, Raphael Ferreira, Cybersecurity Manager, noted, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.'

What security and compliance certifications does Cymulate hold?

Cymulate holds several industry-leading certifications, including SOC2 Type II (covering security, availability, confidentiality, and privacy), ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance standards. Learn more .

How does Cymulate ensure data security and privacy?

Cymulate ensures data security through encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and a strict Secure Development Lifecycle (SDLC). The platform also includes mandatory 2-Factor Authentication, Role-Based Access Controls, and GDPR compliance measures.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, Red Teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. It delivers measurable improvements in threat resilience and operational efficiency for each persona.

What core problems does Cymulate solve for security teams?

Cymulate addresses challenges such as overwhelming threat volume, lack of visibility, unclear risk prioritization, and resource constraints. It provides continuous threat validation, exposure prioritization, improved resilience, operational efficiency, and collaboration across security teams.

What measurable outcomes have customers achieved with Cymulate?

Customers have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. These outcomes are supported by case studies such as Hertz Israel's success story. Read the case study .

How does Cymulate help with vulnerability management?

Cymulate automates in-house validation between penetration tests, prioritizes vulnerabilities based on exploitability, and provides actionable insights for remediation. This improves operational efficiency and ensures that teams focus on the most critical exposures.

How does Cymulate support communication and reporting for CISOs?

Cymulate provides quantifiable metrics and insights that help CISOs justify security investments, communicate risks effectively, and align security strategies with business objectives. The platform delivers validated data tailored to different organizational roles.

What are some real-world use cases and case studies for Cymulate?

Examples include Hertz Israel reducing cyber risk by 81%, a sustainable energy company scaling penetration testing, Nemours Children's Health improving detection in hybrid environments, and Saffron Building Society proving compliance for audits. See more at Cymulate's Case Studies page .

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected for testing. For a detailed quote, organizations can schedule a demo with the Cymulate team.

How does Cymulate differ from other security validation platforms?

Cymulate stands out with its unified platform that integrates BAS, CART, and Exposure Analytics, continuous 24/7 threat validation, AI-powered optimization, complete kill chain coverage, ease of use, and rapid innovation with bi-weekly feature updates. It is suitable for a wide range of roles and industries and is recognized for measurable outcomes and customer satisfaction.

Where can I find Cymulate's blog, newsroom, and resource hub?

You can access the latest threats, research, and company news on the Cymulate blog , newsroom , and Resource Hub for whitepapers, webinars, and product information.

How can I stay updated with Cymulate's latest news and research?

Stay informed by visiting the Cymulate blog for the latest threats and research, and the Newsroom for media mentions and press releases.

Where can I find information about Cymulate's events and webinars?

Information about live events and webinars hosted or attended by Cymulate is available on the Events & Webinars page .

Where can I find resources like whitepapers, reports, and thought leadership articles?

Cymulate's Resource Hub contains a combination of insights, thought leadership, and product information, including whitepapers, reports, and webinars. Access it at the Resource Hub .

What Do I Need to Know About the SolarWinds Attack?

By: Cymulate

Last Updated: January 8, 2025

In 2020, Many US Government agencies - including many that are concerned with National Security - were successfully attacked by a nation-state actor. Coming on the heels of an attack against a major cybersecurity equipment and software vendor, this news immediately set of alarm bells throughout the world; as if security agencies and companies could be attacked, what is to stop anyone else from becoming a victim?

The attack was fairly complex, leading to a great deal of fear and uncertainty in the greater technology world, and even more confusion over what happened. What we do know is that SolarWinds fell victim to a highly sophisticated attack that left their customers vulnerable to further threat activity.

What is SolarWinds?

SolarWinds (SW) is a software development company based in Austin, Texas. Founded in 1999, SW produces software platforms that manage other components of enterprise technology - from monitoring networks to managing support tickets.

In this case, the attack revolved around a specific SW platform - Orion. This platform is used to centralize the monitoring of multiple technology areas so that administrators and management can have updated information about performance, issues, and planning data for future growth.

The Orion platform ingests and correlates massive amounts of data from various areas of company technology sets, and therefore can see a tremendous amount of information about a company, its technology, and its data. Because of this, access to the Orion platform within any given company is tightly controlled, with only a few senior administrators having access to the data that is collected and reviewed.

How the SolarWinds attack happened

The attack occurred when SolarWinds networks were compromised by an outside threat actor. As of this writing, the method used seems to have been the takeover of a particular identity certificate (a digital file that is the result of highly complex mathematical functions that allows one system to identify itself to another system, or one user to identify themselves digitally to one or more systems).

This certificate was then used to forge other identities and access components and allow the attackers to gain access to some systems within SW's infrastructure. In addition to any others, the attackers may have compromised (investigation is still ongoing), one of the systems that suffered incursion was the platform used to stage and ship software updates to customers of the Orion platform.

The attackers inserted their own code into one or more updates, which were then distributed to all users of Orion when they performed regular software updates/patching on the Orion system in their own environments.

This form of attack is often referred to as a "Supply-Chain Attack" since it doesn't directly attack the various organizations such as US Government Agencies and security vendors, but rather attacks one or more platforms used by those organizations to gain access to them indirectly. Because it can be visualized as poisoning a common "well" of data or software, it is sometimes referred to as a Watering Hole Attack. No matter the term used, the result was that thousands of companies that use Orion had unknowingly downloaded threat actor code when they performed their software updates, leaving them exposed to further attacks at a later date.

This attack code, called SUNBURST by security researchers, notified the threat actors that it had been installed each time a company performed its Orion updates; allowing these attackers to know which companies had been compromised. SUNBURST also installed additional code which permitted the threat actors to remotely access the Orion system at any time, while still hiding itself to avoid being detected by monitoring and control software outside of Orion as best it could. Because SUNBURST impacted a monitoring and control platform (Orion), and because Orion saw so much of the infected organizations' data and system information, the amount of intelligence this gave the attackers was enormous and made it nearly impossible to detect the compromise itself. As the software began to be infected as early as March of 2020, it is possible that many organizations were compromised for well over six months - a staggering amount of time in the cybersecurity world.

Who Perpetrated the Attack?

According to ZDNet the attack appears to be the work of a Russian nation-state Advanced Persistent Threat (APT) group. While that is yet to be confirmed by official sources, the form of attack and the sophistication of the SUNBURST malware does lend credence to this being from a nation-state actor, with Russia's APT39 being the most likely based on unofficial source reporting. The further fact that a large number of government agencies in the US were amongst the primary targets of the attack does indicate that the attackers are a well-organized, well funded, and most likely state-sponsored group, lending even more evidence to the potential that APT39 was indeed the responsible party.

Is it Possible this Could Happen Again?

This type of attack - and most notably this attack at this scale - is incredibly rare. While Supply-Chain Attacks do occur, they are generally seen on a much smaller scale with much smaller software vendors being the conduits for the attack itself. Enterprise software vendors take great care with Identity and Access Control and have multiple monitoring systems and other safeguards to prohibit exactly this kind of attack from being successful. Only through extremely sophisticated manipulation of security certificates and no small amount of code wizardry were the attackers able to be successful here - to the point that even seasoned security professionals have expressed amazement at the scale and reach of this attack. Additionally, modern security monitoring can typically detect that this form of data exfiltration (the removal of data from an environment) is happening, meaning that traffic patterns would generally expose the attack in progress, and only the obfuscation techniques of spectacularly good threat actors were able to avoid being discovered here. While it is possible that this could happen again, it can only happen at this scale with an alarming amount of talent, resources, and time. So, while it can happen, we're unlikely to see another attack of this magnitude in the near future if we're lucky.

What Can You Do to Defend Your Organization?

Watering Hole attacks are extremely difficult to defend against, as your organization is not the primary target of the initial attack at all. Downloading software patches and updates is a mandatory and critical part of cybersecurity, so avoiding patching and updating is simply not an option.

Careful management of vendors to ensure all of your 3rd-party providers maintain good cybersecurity hygiene is a great start in combating this kind of threat activity. Carefully testing and monitoring your network for unusual activity is also critical, as the first sign of incursion may be when the threat actors try to remove data from your environment. This isn't a guarantee that this form of threat can't impact your organization, but it does help to minimize the likelihood that you will fall victim to it.

* Update as of December 17, 2020 *

A consortium of industry vendors including Microsoft and Google have actively been working to circumvent the ability of SUNBURST to successfully activate and attack. Microsoft was able to gain possession and control over a key domain - avsvmcloud[.]com - which the SUNBURST attack binaries use to get Command and Control (C&C) information. Without this C&C connectivity, the SUNBURST system remains in an inactive state if it has not yet become active within an environment. ZDNet has been covering this aspect of the ongoing investigations.

It should be noted that if the SUNBURST system had already been activated, the extent of what it can do after it loses connectivity to the C&C domain is still being investigated. This means that Orion customers who were already infected by SUNBURST may still find the software active within their environment, and should consider the Orion install compromised until definitive proof that it is not can be acquired and confirmed. That being said, if the software has not yet been put into an "active" state by the C&C platform, it appears to remain inert and re-attempt connectivity on a periodic schedule. Since the C&C domain (and any servers SUNBURST would communicate with via that domain) are now under the control of Microsoft, Google, and others; this means any SUNBURST deployment that has not yet gone active will remain inactive indefinitely.

Customers running the Orion platform are still cautioned that it is - at this moment - not possible to definitively say if any given Orion instance has an activated SUNBURST infection. Security researchers are continuing to determine which Orion installations have been activated, which have downloaded infected patches, and other details. To date, a list of about 100 customers' Orion installs is confirmed to have communicated with the C&C servers, but the discovery project is still ongoing.

Contact SolarWinds and/or Microsoft to find out if your install is on the "known activated" list. Activated installs of SUNBURST may remain active even though the C&C servers are now controlled, as the threat actors may have used the system access SUNBURST provided them to install additional communication methods that don't rely on the now controlled C&C systems. We hope to have more information in the coming days and weeks to help with identifying infected instances, and the Cymulate platform will be updated with any new techniques and methodologies used by SUNBURST as soon as the forensic examinations yield new info on how the attack works, spreads, and acts.

Key Takeaways

Supply-Side attacks are difficult to stop and difficult to detect if the threat actors are good at hiding their tracks. Attacks on this scale; however, are generally indicators of nation-state activity, and not something usual or frequent.

If you have SolarWinds Orion or any other SolarWinds platform, you should ensure that it is temporarily shut down until a full analysis of the attack can be performed by SolarWinds themselves. While this may be disruptive, the potential for additional repercussions of this attack coming to light over the next several days means that shutdowns - at least temporarily - are necessary and unavoidable.

All companies should be using continuously updated testing tools - such as Cymulate - to ensure that they are able to test for the latest threat activity. Cymulate already has an Immediate Threats Intelligence simulation available for SUNBURST, and for many other APT39 methodologies seen in the greater digital sphere. While such a test would not have prevented this attack, tools such as Cymulate can definitely allow businesses to immediately know if they are susceptible to these attacks once they have been uncovered; and to defend against the threats that are known and are still wreaking havoc throughout the digital world.

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

What is SolarWinds? How the SolarWinds attack happened Who Perpetrated the Attack? Is it Possible this Could Happen Again? What Can You Do to Defend Your Organization? Key Takeaways

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID

Identity is the new perimeter. The move to the cloud and remote work creates new security boundaries based on users and services operating across cloud and hybrid environments, making