Solorigate: What Went Behind The ‘Disastrous’ SolarWinds Hack


US-based SolarWinds suffered one of the most disastrous cyberattacks of the year that has potentially compromised up to 200 organisations and agencies, including prominent names such as Intel, Microsoft, NVIDIA, and Cisco. It is now being referred to as Solorigate, first coined by Microsoft.

This attack comes on the heels of a major breach at FireEye, one of the world’s most sought after cybersecurity firms. The FireEye hack was termed the biggest known cyberattack since the 2016 incident where the US National Security Agency was compromised by a little known group called the ShadowBrokers.

The Solorigate

In both SolarWinds and FireEye cases, it is speculated that the hackers operated on behalf of a foreign government. FireEye, which is also investigating the cause behind the SolarWind hack, said that a malware-laced update for the latter’s Orion software infected the networks of multiple US companies and government networks. 

Reportedly, 18,000 customers of SolarWinds received a malicious update that included a backdoor. However, the number of cases in which attackers could infiltrate using the backdoor is much lesser — currently pegged at close to 200.

Experts believe that this is the case of a supply chain attack, wherein notorious elements seek to damage an organisation by targeting the weaker and lesser secure elements in the supply chain. One of the most prominent examples of supply chain attacks is the Target security breach of 2013.

The Target breach is considered one of the largest data attacks in the history of the retail industry. The attack happened between November 27 and December 15, 2013, that introduced malware into the POS (point of sale) system of 1,800 stores, making 40 million credit and debit cards susceptible to fraud. This breach eventually led to the downfall of the company’s profit in Q4 of 2013 by about 46%, apart from the additional expenditure of 90 lawsuits filed against the company.

What Went Wrong With SolarWinds

The attackers compromised the SolarWinds Orion Platform DLL (Dynamic Link Library) with the addition of 4,000 lines of discrete malicious codes. This insertion of lines of codes in SolarWinds.Orion.Core.BusinessLayer.dll allowed the attacker to operate unfettered in the compromised networks.

What made it even foolproof is the fact that the compromised file was even digitally signed which suggests that the attackers had access to the SolarWind’s software development or the distribution pipeline.

As per a Microsoft review report looking at the SolarWind hack, there has been evidence to suggest that the attackers started testing their ability to insert code by adding empty classes as early as October 2019. Because of which the insertion of malicious code happened at a very early stage, possibly before the software build that would include the digital signing of the compiled code.

The malware would stay dormant in the affected system for a period of up to two weeks. After this, it retrieves and executes commands called Jobs. These Jobs include transferring and executing files, profiling the system, rebooting the machine, and eventually disabling system services. The backdoor also used multiple obfuscated blocklists in order to identify any antivirus tools that may be running on the system, including processes, services, and drivers.

Interestingly, FireEye discovered SolarWinds’ backdoor while investigating its own breach that was identified on December 8.

Wrapping Up

Supply chain attacks are a growing concern. The Solorigate incident is a reminder that these attacks achieve harmful results of the deadly combination of widespread impact and deep consequences for compromised networks. 

As suggested by, companies can guard themselves against these attacks by isolating and investigating devices; by identifying accounts used on affected devices; and by determining the timeline of device compromise for an indication of lateral movement.

Download our Mobile App

Shraddha Goled
I am a technology journalist with AIM. I write stories focused on the AI landscape in India and around the world with a special interest in analysing its long term impact on individuals and societies. Reach out to me at

Subscribe to our newsletter

Join our editors every weekday evening as they steer you through the most significant news of the day.
Your newsletter subscriptions are subject to AIM Privacy Policy and Terms and Conditions.

Our Recent Stories

Our Upcoming Events

3 Ways to Join our Community

Telegram group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our Daily newsletter

Get our daily awesome stories & videos in your inbox

Can OpenAI Save SoftBank? 

After a tumultuous investment spree with significant losses, will SoftBank’s plans to invest in OpenAI and other AI companies provide the boost it needs?

Oracle’s Grand Multicloud Gamble

“Cloud Should be Open,” says Larry at Oracle CloudWorld 2023, Las Vegas, recollecting his discussions with Microsoft chief Satya Nadella last week. 

How Generative AI is Revolutionising Data Science Tools

How Generative AI is Revolutionising Data Science Tools

Einblick Prompt enables users to create complete data workflows using natural language, accelerating various stages of data science and analytics. Einblick has effectively combined the capabilities of a Jupyter notebook with the user-friendliness of ChatGPT.