It was just supposed to be a routine software update to a SolarWinds software called Orion, but instead, the download spread a piece of malware called “Sunburst” dropped by Russian Foreign Intelligence Service hackers.
In all, the September 2019 update delivered the malware to more than 18,000 SolarWinds customers, including highly sensitive government agencies like the Departments of the Treasury and Homeland Security, leaving the Russians with a secret backdoor to compromise organizations at their leisure.
Panic quickly spread, particularly throughout the US government.
Worse yet, despite the malware sitting on systems since late 2019, the campaign wasn’t discovered until March 2020, setting off a firestorm of Congressional hearings, Executive Orders, aggressive crisis PR efforts, and it even landed SolarWinds chief information security officer (CISO) Tim Brown in the crosshairs of the SEC, personally.
For its part, SolarWinds stood firmly behind Brown and vigorously defended him and the company against proposed enforcement action from the Securities and Exchange Commission (SEC). The SEC accused Brown of fraudulently claiming the organization had controls in place, when in reality, investigators said, no controls were there.
Even impacted SolarWinds customers were fined by millions by the SEC (the largest fine hit $4 million), for intentionally trying to minimize the impact of the breach in their public disclosures.
The company and Brown were ultimately vindicated in court, much to the relief of CISOs everywhere concerned they too could be held personally liable for a breach of their organization. By February 2025, SolarWinds had been taken private for $4.4 billion, well out of reach of SEC regulators.
In the six years since the incident, the cybersecurity sector has gained a far more nuanced understanding of how software supply chains can present hidden attack vectors, and how to harden systems against increasingly sophisticated nation-state actors. Importantly, the incident provided a model for how organizations can weather massive fallout after compromise that lands them in international headlines, and make it to the other side of controversy intact.
SolarWinds was a gut punch to the cybersecurity sector, but the hard lessons learned will continue to prompt questions of liability for defenders and CISOs for decades to come.
