Here’s a thought experiment. You want to break into a building. You could try picking the lock on each of 18,000 individual doors. Or — if you’re creative about it — you could compromise the company that makes the master key and have them hand it out for you.
That’s what happened with SolarWinds.
What SolarWinds Is
SolarWinds makes Orion — IT monitoring software used by organizations to keep an eye on their networks, servers, and infrastructure. It’s the kind of tool that sits deep in a company’s environment with broad visibility and elevated access. Exactly the kind of software you’d want if you were trying to get inside a lot of organizations at once and stay invisible while you did it.
33,000 organizations used Orion. Among them: the US Treasury, the Department of Homeland Security, the State Department, NATO, Microsoft, Intel, and several cybersecurity companies — including FireEye, which is where the story eventually unraveled.
What Actually Happened
Sometime in 2019 — possibly earlier — Russian intelligence (specifically SVR, the foreign intelligence service, also known as Cozy Bear) found a way into SolarWinds’ software build environment. The build environment is where code gets compiled, packaged, and turned into the update files that get distributed to customers.
They inserted malicious code into that process. The code — later named SUNBURST — was carefully crafted to look like a legitimate part of the software. It was signed with SolarWinds’ own digital certificate, meaning it appeared to every security tool that checked as an authentic, trusted SolarWinds update.
In March 2020, SolarWinds pushed an Orion software update to its customers. 18,000 of them installed it. Every one of them had just invited SUNBURST into their environment.
The malware lay dormant for two weeks before activating — long enough to clear any connection to the update in analysts’ minds. Then it quietly began communicating with command-and-control servers via traffic carefully designed to look like normal Orion activity. The attackers moved through networks slowly, carefully, choosing which targets to prioritize for deeper access.
They were inside US government networks for most of 2020. The breach wasn’t discovered until December, when FireEye noticed that its own red team hacking tools had been stolen — and started pulling that thread.
Now About That Password
While investigators were piecing together the SolarWinds story, a security researcher named Vinoth Kumar made a separate discovery. He found that SolarWinds had a publicly accessible server — sitting on the open internet — protected by the password solarwinds123.
He reported it to SolarWinds in November 2019.
When this came out publicly during congressional testimony in 2021, SolarWinds’ CEO Sudhakar Ramakrishnan explained that the password had been set by an intern. The intern, he clarified, had been told not to do this. The intern did it anyway.
The intern is no longer an intern at SolarWinds.
Here’s the part worth sitting with: SolarWinds sells software designed to monitor and manage other organizations’ IT security. The company whose entire value proposition is watching over your network had a publicly exposed server with a password a toddler could guess, set by someone who had been there for three months, that sat exposed for over a year before anyone noticed it.
Whether that specific password was the entry point for the SUNBURST attackers has never been definitively confirmed — SolarWinds maintains the credentials were for a third-party application. But that almost doesn’t matter. It tells you what the security culture looked like inside the company that was quietly distributing malware to 18,000 organizations.
A Note on Kaseya
SolarWinds wasn’t alone. In July 2021, a ransomware group called REvil executed a nearly identical concept against Kaseya — a company that makes remote monitoring and management software used by IT service providers.
They exploited a zero-day vulnerability in Kaseya’s platform and used it to push ransomware downstream to Kaseya’s customers — and their customers’ customers. Roughly 1,500 businesses were hit. REvil demanded $70 million for a universal decryption key.
Eight hundred Coop supermarket stores in Sweden had to close for nearly a week because their checkout systems — managed through an MSP using Kaseya — were encrypted. People showed up for groceries and found dark stores with handwritten signs. Over ransomware.
The FBI quietly obtained the decryption key and eventually shared it. A Ukrainian national was later arrested and charged.
Two separate attacks, same underlying concept: don’t hack the target. Hack the thing the target trusts.
What This Means for You
Ask what software you’re running and where it phones home. Every piece of software in your environment is a potential supply chain risk. That doesn’t mean you stop using software — it means you should know what you’re running, whether it’s being kept current, and whether the vendor has a decent security track record.
Your software vendors are part of your attack surface. Just like the Target HVAC vendor story, the question isn’t just “did we get hacked?” It’s “could someone get to us through something we trust?” Software updates, managed service providers, monitoring tools — all of them have access. All of them are worth thinking about.
MFA and least-privilege still matter, even here. The reason SolarWinds caused so much damage is that Orion had broad access to customer environments. Organizations that had segmented their networks and applied least-privilege access to monitoring tools were harder targets. You can’t always prevent a supply chain compromise. You can limit what an attacker finds when they arrive.
Check your vendors’ security posture. Not just your HVAC contractor — your software vendors too. Do they have a responsible disclosure program? Do they publish security advisories? Have they had breaches before, and how did they handle them? These aren’t paranoid questions. They’re the same questions your auditors will eventually ask you.
The most sophisticated cyberattack in US history didn’t start with a nation-state hacking the Pentagon. It started with getting inside the company that sells the Pentagon its monitoring software, and waiting for the next update cycle.
Your most trusted tools are also your most trusted attack surface. That’s not a reason to panic. It’s a reason to ask better questions.
