SolarWinds 2019 Scenario

February 13, 2025

Summary

Sometime around January 2019, hackers from a group known as SolarStorm gained access to SolarWinds’ network using either a zero-day vulnerability in a third-party service or application, a brute-force attack or social engineering. Once inside, they:

  1. Installed the SUNSPOT malware to compromise SolarWinds’ build processes.
  2. Inserted the SUNBURST backdoor in SolarWinds’ Orion software (used for tracking servers in company networks).
  3. Compromised thousands of organizations, which were using the Orion software

This attack had far-reaching consequences:

  • High-profile targets were compromised (U.S. Department of Homeland Security, Department of Energy, Department of Energy and others).
  • The malicious software update affected approximately 18,000 SolarWinds Orion customers, well over half of the company’s 33,000 reported customers.
  • Widespread reputational damage and financial consequences: SolarWinds faced significant scrutiny and criticism for the breach, and its stock price dropped significantly. Affected organizations also suffered reputational damage and increased cybersecurity spending in response to the attack (there is still outstanding lawsuits over this incident).
  • The SolarStorm threat actor group was able to steal the FireEye red team toolset, which is used by ethical hackers in penetration tests.
  • In response to the attack, lawmakers and regulatory bodies considered legislation aimed at increasing accountability for software vendors and improving the security of supply chains.

Sample Exercise Files

New AutoTableTopâ„¢ facilitators can use all of these files to execute their own exercise and review their outcomes with those included in the transcripts provided. This scenario is not meant to insinuate that ThreatGEN has any non-public information from the original incident; this is meant as a means to become comfortable with the tool and determine effective responses.

Save these files to your PC in order to recreate the Colonial Pipeline ransomware attack exercise yourself.

File DescriptionFile
A Settings File that can be uploaded into AutoTableTop­™ settings window to execute an exercise based on the Colonial Pipeline attack.
A Scenario Document discussing each setting within the Settings File, both general settings and specific to this scenario.
An End Exercise Analysis Report generated using the Settings File and Incident Response Plan above.
A sample Transcript from an exercise run with the above Settings File and Incident Response Plan.
Files for the SolarWinds 2019 Scenario for AutoTableTopâ„¢

Originally released February 13, 2025.
Copyright © 2025 by Derezzed Inc. D/B/A ThreatGEN, all rights reserved.

Search Posts

Recent Posts

Categories