Inside the SolarWinds Breach

Kim Zetter, Wired:

As summer turned to fall, behind closed doors, suspicions began to grow among people across government and the security industry that something major was afoot. But the government, which had spent years trying to improve its communication with outside security experts, suddenly wasn’t talking. Over the next few months, “people who normally were very chatty were hush-hush,” a former government worker says. There was a rising fear among select individuals that a devastating cyber operation was unfolding, he says, and no one had a handle on it.

In fact, the Justice Department and Volexity had stumbled onto one of the most sophisticated cyberespionage campaigns of the decade. The perpetrators had indeed hacked SolarWinds’ software. Using techniques that investigators had never seen before, the hackers gained access to thousands of the company’s customers. Among the infected were at least eight other federal agencies, including the US Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms, including Intel, Cisco, and Palo Alto Networks—though none of them knew it yet. Even Microsoft and Mandiant were on the victims list.

Zetter’s thorough investigation into the circumstances of the 2020 SolarWinds breach — including her previously reported story about the FBI’s foreknowledge — is worth your time. It is also a reminder to me that the circumstances of Bloomberg’s Supermicro story, another supposed supply chain compromise, remain mysteriously uncorroborated and without similar on-the-record journalism.