The SolarWinds investigation has produced enough public detail in the past three months to write a fuller account of what the campaign was. The CISA-and-FBI joint statement of January 5, the subsequent CISA alerts through January and February, the various private-sector disclosures, and the Microsoft Threat Intelligence Center's analysis through February (Microsoft on Solorigate / Nobelium, February 18), have collectively produced a substantive picture of the campaign's structure that the December initial disclosure could not.
The scope. Nine US federal agencies have been confirmed compromised — Treasury, Commerce, State, Energy, Justice, Department of Homeland Security, the National Nuclear Security Administration (under DOE), the National Institutes of Health (under HHS), and several others. Approximately 100 private-sector organisations are publicly confirmed; the actual number is larger and the public disclosure is being driven by individual organisations as they complete their investigations. The affected population includes substantial security firms (FireEye whose disclosure triggered the wider investigation, CrowdStrike whose detection of related activity contributed to the picture), substantial cloud-services providers (Microsoft itself, with limited internal exposure), and substantial enterprise customers across multiple sectors.
The operator behaviour. The SUNBURST backdoor was selective rather than indiscriminate — the malicious code in the SolarWinds Orion update activated only on certain victim environments based on operational criteria, with most affected SolarWinds customers receiving the backdoored update but not being subject to subsequent operator activity. The selection criteria appear to have prioritised high-value targets matching the operator's intelligence-collection priorities. The post-compromise activity at selected targets included substantial dwell time, careful operational tradecraft (use of legitimate cloud services for command-and-control to blend with legitimate traffic, careful credential-harvesting and lateral movement, avoidance of high-noise techniques), and the exfiltration of specific email-and-document content from selected mailboxes rather than wholesale data theft.
The implant ecosystem. SUNBURST was one component; subsequent analysis has identified additional implants associated with the same operator cluster — TEARDROP and RAINDROP, post-compromise tools used for further lateral movement; GOLDMAX and related Mac-targeting variants; the SUNSPOT build-system implant that was used to inject SUNBURST into the SolarWinds Orion build pipeline. The build-system implant is the part of the campaign that is most operationally instructive — the operator obtained access to SolarWinds' internal build infrastructure, deployed an implant that monitored the build process for Orion, and injected the SUNBURST malware into the compiled output of legitimate Orion builds. The injection was sufficiently subtle that SolarWinds' own internal review processes did not detect it for several months.
The customer-portfolio response work continues. The audit cycle through Q1 against the broader software-bill-of-materials at customer organisations has produced several findings that are not directly related to SolarWinds but that have surfaced supply-chain risks the customer organisations had not previously documented. The work is operationally valuable in itself even where the specific findings are routine.
For the strategic conclusions, three things are settling.
First, the supply-chain-attack pattern is now operationally central to customer-organisation threat modelling. The defensive disciplines (vendor security verification, software-bill-of-materials, build-system integrity, update-channel monitoring) require sustained investment and are a significant fraction of the customer-organisation programme work for 2021 and beyond.
Second, state-actor capability against widely-deployed enterprise infrastructure is more capable than 2019's customer-organisation conversations had typically envisaged. The combination of supply-chain compromise, careful targeting, sustained dwell time, and operational tradecraft is consistent with what the threat-intelligence community has been describing for years but has not, prior to SolarWinds, been demonstrated at this scale and clarity. The customer-organisation threat-modelling for 2021 will incorporate state-actor capability as a more central component.
Third, the detection-and-response posture across the customer base needs to assume more capable adversary tradecraft than the previous baseline. Comprehensive logging-and-retention to support post-incident hunt activity. Behavioural analytics on identity-and-access patterns. Integration of threat-intelligence at the operational level. The disciplines are not new; the operational urgency is sharpened.
The book project — the GDPR-era operational discipline book — has, in editing, gained an unplanned chapter on supply-chain risk that I drafted in late January and integrated through February. The publication date has slipped from May to June as a consequence; the addition is worth the slippage.