The threat actors gained access to SolarWinds’ Orion software through its automated build environment and began testing their ability to inject malicious code into builds in October 2019, before rolling out malicious updates, which were named SUNBURST, to customers between March and June the following year.
In its blog post, SolarWInds said it estimates less than 100 customers were targeted with SUNBURST malware, which was in line with estimates given by the U.S. government and other researchers. Additionally, the company said no source code repository was modified in the attack and there were no signs of the SUNBURST in any of its other products.
The company offered three possible access points that enabled the attackers’ breach: a zero-day flaw in a third-party app or device, a social engineering campaign or a brute-force attack.
“Our investigations have uncovered evidence that the threat actor compromised credentials and conducted research and surveillance in furtherance of its objectives through persistent access to our software development environment and internal systems,” the company said.