Cybersecurity & Digital Warfare
The Spy Who Came in Through the Software Update
For nearly nine months, the most sensitive networks in the United States government were wide open — and the door that let the attackers in was one that everyone trusted completely.
The Idea
The SolarWinds attack, discovered in December 2020, is considered one of the most sophisticated cyber operations ever conducted. But what made it so devastating wasn't brute force — it was patience, and a single insight: instead of attacking your target directly, attack the thing your target trusts. SolarWinds makes Orion, a network monitoring platform used by roughly 18,000 organisations, including large chunks of the US federal government. Sometime in early 2020, attackers — widely attributed to Russia's SVR foreign intelligence service — inserted malicious code into Orion's build pipeline. This is the automated process that assembles raw code into finished software. The result was that when SolarWinds shipped a routine update, the malware shipped with it, signed with SolarWinds' own cryptographic certificate. To any security system checking its legitimacy, it looked perfectly clean. This is what security researchers call a supply chain attack. Rather than picking the lock on your front door, someone poisons the factory that made your lock. The malware, nicknamed SUNBURST, was engineered to lie dormant for two weeks after installation, blend into normal network traffic, and only phone home to its operators once it had confirmed it wasn't in a sandboxed test environment. The attackers weren't smashing windows. They were reading blueprints. The implication that still haunts the industry: you can do almost everything right — patch your systems, train your staff, hire excellent people — and still be compromised through the software you rely on without question.
In the World
The scale of what the attackers accessed only became clear gradually, and it was genuinely alarming. The US Treasury Department, the Department of Homeland Security, the State Department, parts of the Pentagon, and the cybersecurity firm FireEye were all among the victims. FireEye, ironically, was the company that eventually discovered the breach — not because they were looking for SolarWinds malware, but because an attacker tried to enroll a second device into their multi-factor authentication system using an employee's credentials, and a security team member noticed it wasn't a device they recognised. That small anomaly unravelled everything. FireEye's investigators pulled on the thread and found SUNBURST sitting inside their network. They contacted SolarWinds and US authorities, and the scope of the compromise began to emerge. The attackers had used their access carefully, moving only into the networks they found most valuable, presumably to avoid triggering alerts through volume. At the National Nuclear Security Administration — which manages the US nuclear weapons stockpile — there were signs of intrusion. At Microsoft, the attackers accessed source code repositories, though Microsoft stated no customer data was taken. What the SVR ultimately gathered across those nine months remains classified. That ambiguity is part of the damage. When an intelligence operation of this sophistication succeeds, the victim never knows exactly what was read, copied, or used — only that someone was there, reading over their shoulder, for a very long time.
Why It Matters
SolarWinds changed how serious people think about digital trust. Before it, most security conversations centred on keeping bad actors out of your own systems. After it, the conversation had to expand to include every piece of software you run and every vendor in your chain. This matters beyond government and enterprise. The same conceptual vulnerability — that we extend implicit trust to software updates, to third-party tools, to the underlying infrastructure of digital life — applies at every level. The apps on your phone update automatically. The tools your employer uses do the same. Somewhere in that chain, there are build pipelines, code repositories, and human decisions made under commercial pressure. The SolarWinds episode also crystallised a geopolitical reality: espionage has moved into software infrastructure, and the most valuable operations leave no physical trace. There are no broken windows, no stolen files in a briefcase. Just silent, careful access to information that shapes decisions. Knowing this doesn't make you paranoid — it makes you more accurate about the nature of the digital environment we all inhabit. Trust in software is never absolute; it is always, to some degree, delegated.
A Question to Ponder
If the most effective attacks succeed not by breaking security but by subverting trust itself, what would it actually mean to build systems — digital or otherwise — that are genuinely trustworthy rather than just apparently so?
Get a new one of these every morning.
Start learning with Thinkable