> series: anatomy_of_a_breach —— part: 144 —— year: 2020 —— verdict: solarwinds_covid_and_the_supply_chain_broke<span class="cursor-blink">_</span>_
On 13 December 2020, cybersecurity firm FireEye disclosed that it had been breached by a sophisticated nation-state actor. The investigation revealed the attack vector: a poisoned software update to SolarWinds Orion, a network monitoring platform used by approximately 33,000 customers including virtually every US government agency. The compromised update — containing a backdoor dubbed 'Sunburst' — had been distributed to approximately 18,000 organisations between March and June 2020. The attackers, attributed to Russia's SVR intelligence service, had spent nine months inside some of the world's most sensitive networks — including the US Departments of the Treasury, Commerce, Homeland Security, State, and Energy, as well as private companies including Microsoft, Intel, and Deloitte.
SolarWinds was the supply chain attack that NotPetya had foreshadowed — but more sophisticated, more targeted, and more patient. Where NotPetya was destructive and indiscriminate, Sunburst was stealthy and selective. The attackers used the initial access provided by the backdoored update to identify high-value targets and then deployed additional tools only against selected networks. The attack had been active since March 2020 — nine months of undetected access to the world's most sensitive networks.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| # | Breach | Key Lesson |
|---|---|---|
| 133 | Microsoft 250M | Even Microsoft misconfigures Elasticsearch. Configuration is universal risk. |
| 134 | Clearview AI | 3B photos scraped. Surveillance company breached. £7.5M ICO fine. |
| 135 | COVID-19 Remote Working | The pandemic expanded the global attack surface overnight. Permanently. |
| 136 | Zoom Security | 10M to 300M users. Security wasn't invited. Zoombombing, fake encryption. |
| 137 | EasyJet | UK: 9M customers. Second UK airline after BA. £18B class action filed. |
| 138 | Blackbaud | UK charities, universities, NHS trusts. Paid ransom. Misled on scope. |
| 139 | Twitter Hack | Obama, Biden, Musk. A 17-year-old. A phone call. Social engineering wins. |
| 140 | Garmin WastedLocker | Aviation offline. $10M to sanctioned group. Safety-critical services downed. |
| 141 | Düsseldorf Hospital | Patient died. Ransomware kills. Nine months after the VPN patch. |
| 142 | Hackney Council | UK: 280,000 residents. Two-year recovery. Most severe UK council attack. |
| 143 | Manchester United | UK: Premier League club. Segmentation saved matchday. Refused to pay. |
| 144 | SolarWinds + Year Review | 18,000 orgs. 9 months. US government. Russia. The supply chain broke. |
SolarWinds represented the culmination of every supply chain attack documented in this series — from RSA SecurID (2011) through Target's HVAC vendor (2013), NotPetya's M.E.Doc update (2017), Ticketmaster's chatbot script (2018), and Blackbaud's charity data (2020). But SolarWinds was different in scale (18,000 organisations), sophistication (the backdoor was embedded in a legitimately signed software update from a trusted vendor), stealth (nine months of undetected access), and impact (US government agencies compromised). The software supply chain — the mechanism designed to keep you secure — had become the most dangerous attack vector.
With 144 articles spanning twelve years, this series has documented the complete arc from lost CDs to nation-state supply chain attacks, from £1,000 ICO fines to hundreds of millions in GDPR penalties, from data theft to ransomware that kills. The controls remain the same: penetration testing, Cyber Essentials certification, SOC in a Box monitoring, and incident response capability. Twelve years of evidence. One conclusion. The organisations that implement these controls survive. The rest fill these pages.
<a href="/penetration-testing">Test</a>. <a href="/cyber-essentials">Certify</a>. <a href="https://www.socinabox.co.uk">Monitor</a>. <a href="https://www.cyber-defence.io">Prepare</a>. Because twelve years of evidence demands nothing less.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call