BEARS’ LAIR?
The Moscow
headquarters of the
SVR intelligence
agency, whose
“Cozy Bear” cyber
unit is one suspect
in the SolarWinds
hack.SEPT. 4, 2019
SolarWinds,
an Austin-based
software company,
is compromised.
Engineering done
for SolarWinds
by subcontrac-
tors in Eastern
Europe is one pos-
sible source of the
breach.
The hackers
implant malware
into an update
for Orion, an IT
and cyberse-
curity manage-
ment dashboard
product made by
SolarWinds. This
malware, dubbed
“Sunburst,” is a
so-called backdoor
that allows hackers
to monitor and
potentially further
infiltrate networks
it is installed on.
MARCH–JUNE 2020SolarWinds be-
lieves that 18,000
Orion customers
downloaded a
software-update
patch that included
the Sunburst back-
door during this
period. Because
this download is
part of a trusted
process, there is
nothing to alert
even vigilant
security teams that
anything is amiss.DEC. 11The hackers,
using stolen cre-
dentials, attempt
to register a new
device for multifac-
tor authentication.
This action tips off
the cybersecurity
company FireEye
to the intrusion;
two days later, itpublicly reports
the hack.DEC. 19FireEye reports
that more than
1,000 infiltrated
systems have been
pinging a com-
mand-and-control
server operated
by hackers, giving
them the option to
penetrate further
by stealing internal
users’ credentials
that give them
access to more
systems.
Microsoft says
about 40 of its own
customers were at-
tacked. An Amazon
internal report later
pegs the total of
impacted firms and
agencies at more
than 250. Those
reports have not
named the victims,
but Microsoftreported that 44%
of the escalation
targets it detected
were in the IT
sector, 18% were
in government,
19% were NGOs or
think tanks, and 9%
were government
contractors. The
follow-on attacks
appear to have
mainly targeted
email systems;
their full extent is
unknown.DEC. 31Microsoft
announces that
the SolarWinds
hackers accessed
the internal source
code that under-
lies some of its
software. To date,
there’s no indica-
tion anything was
tampered with or
that customer data
was stolen.JAN. 5, 2021A group of
U.S. intelligence
agencies issue a
statement saying
that “an Advanced
Persistent Threat
(APT) actor, likely
Russian in origin,”
is responsible for
the attack. Some
experts suspect
the SVR, the Rus-
sian foreign intel-
ligence service
associated with the
Cozy Bear hacking
team. Russia de-
nies involvement.JAN. 10The Cybersecu-
rity and Infra-
structure Secu-
rity Agency says
“fewer than 10”
federal agencies
were impacted by
the compromised
Orion patch. Af-fected agencies
reportedly include
the Department of
Homeland Secu-
rity, the Treasury
Department, and
the State Depart-
ment. Microsoft
email accounts
at the Depart-
ment of Justice
are compromised,
though the DOJ
says there’s no
indication that
classified systems
were breached.JAN. 12Email secu-
rity firm Mimecast
reports that it has
also been compro-
mised by Orion. It
says about 4,000
of its customers
were “potentially
affected,” but only
a “low single-digit”
number of custom-
ers were targeted.TIMELINE OF A CYBERCRIME
SECURITY EXPERTS RANK THE SO-CALLED SOLARWINDS HACK AMONG THE TWO OR THREE MOST SERIOUS CYBER
ESPIONAGE INTRUSIONS IN U.S. HISTORY—AND IT MAY BE THE ONE THAT REACHES DEEPEST INTO CORPORATE AMERICA.
HERE’S WHAT WE KNOW SO FAR ABOUT HOW IT UNFOLDED.
DIGITALGLOBE/SCAPEWARE3D/GETTY IMAGES