2020 United States federal government data breach#Microsoft exploits

SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack.{{cite web|title=The SolarWinds Perfect Storm: Default Password, Access Sales and More|url=https://threatpost.com/solarwinds-default-password-access-sales/162327/|url-status=live|archive-url=https://web.archive.org/web/20201217143937/https://threatpost.com/solarwinds-default-password-access-sales/162327/|archive-date=December 17, 2020|access-date=December 17, 2020|website=Threat Post |first=Tara |last=Seals |date=16 December 2020}} SolarWinds did not employ a chief information security officer or senior director of cybersecurity.{{Cite news|url=https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack|title=SolarWinds Adviser Warned of Lax Security Years Before Hack|newspaper=Bloomberg.com|date=December 21, 2020|access-date=December 22, 2020|first=Ryan|last=Gallagher|url-access=subscription|archive-date=May 16, 2021|archive-url=https://web.archive.org/web/20210516053412/https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack|url-status=live}} Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software. In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers.{{cite web|title=SolarWinds Hack Could Affect 18K Customers|url=https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/|url-status=live|archive-url=https://web.archive.org/web/20201216063419/https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/|archive-date=December 16, 2020|access-date=December 16, 2020|publisher=Krebs on Security}}{{cite web|url=https://www.itwire.com/security/solarwinds-ftp-credentials-were-leaking-on-github-in-november-2019.html|title=SolarWinds FTP credentials were leaking on GitHub in November 2019|first=Sam|last=Varghese|website=itwire.com|access-date=December 17, 2020|archive-date=December 15, 2020|archive-url=https://web.archive.org/web/20201215011307/https://itwire.com/security/solarwinds-ftp-credentials-were-leaking-on-github-in-november-2019.html|url-status=live |date=15 December 2020}}{{cite news|url=https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8|title=Hackers used SolarWinds' dominance against it in sprawling spy campaign|date=December 16, 2020|access-date=December 16, 2020|work=Reuters|language=en|archive-date=December 17, 2020|archive-url=https://web.archive.org/web/20201217222405/https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8|url-status=live |first1=Raphael |last1=Satter |first2=Christopher |last2=Bing |first3=Joseph |last3=Menn}} Furthermore, SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.{{cite web|url=https://www.theregister.com/2020/12/16/solarwinds_github_password/|title=We're not saying this is how SolarWinds was backdoored, but its FTP password 'leaked on GitHub in plaintext'|first=Thomas|last=Claburn|website=The Register|access-date=December 17, 2020|archive-date=December 18, 2020|archive-url=https://web.archive.org/web/20201218002615/https://www.theregister.com/2020/12/16/solarwinds_github_password/|url-status=live |date=16 December 2020}}

On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired.{{cite web|url=https://www.cnbc.com/2020/12/16/solarwinds-hack-triggers-23percent-stock-haircut-this-week-so-far.html|title=SolarWinds hack has shaved 23% from software company's stock this week|first=Jordan|last=Novet|date=December 16, 2020|publisher=CNBC|access-date=December 17, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216223540/https://www.cnbc.com/2020/12/16/solarwinds-hack-triggers-23percent-stock-haircut-this-week-so-far.html|url-status=live}}{{cite web|url=https://www.theregister.com/2020/12/16/solarwinds_stock_sale/|title=SolarWinds' shares drop 22 per cent. But what's this? $286m in stock sales just before hack announced?|first=Kieren|last=McCarthy|website=The Register|access-date=December 17, 2020|archive-date=December 17, 2020|archive-url=https://web.archive.org/web/20201217150244/https://www.theregister.com/2020/12/16/solarwinds_stock_sale/|url-status=live |date=16 December 2020}} That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. The firms denied insider trading.{{cite news|url=https://www.marketwatch.com/story/solarwinds-falls-under-scrutiny-after-hack-stock-sales-01608166019|title=SolarWinds falls under scrutiny after hack, stock sales|agency=Associated Press|website=MarketWatch|access-date=December 17, 2020|archive-date=December 17, 2020|archive-url=https://web.archive.org/web/20201217023156/https://www.marketwatch.com/story/solarwinds-falls-under-scrutiny-after-hack-stock-sales-01608166019|url-status=live |date=16 December 2020}}

Multiple attack vectors were used in the course of breaching the various victims of the incident.{{cite news|url=https://uk.reuters.com/article/uk-usa-cyber-breach-idUKKBN28R3B7|title=Microsoft says it found malicious software in its systems|first=Joseph|last=Menn|date=December 18, 2020|work=Reuters|access-date=December 18, 2020|archive-date=December 18, 2020|archive-url=https://web.archive.org/web/20201218062157/https://uk.reuters.com/article/uk-usa-cyber-breach-idUKKBN28R3B7|url-status=dead}}{{cite news|url=https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html|title=More Hacking Attacks Found as Officials Warn of 'Grave Risk' to U.S. Government|first1=David E.|last1=Sanger|first2=Nicole|last2=Perlroth|date=December 17, 2020|work=The New York Times|access-date=December 17, 2020|archive-date=December 17, 2020|archive-url=https://web.archive.org/web/20201217202216/https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html|url-status=live}}

{{blockquote|This is classic espionage. It's done in a highly sophisticated way{{nbsp}}... But this is a stealthy operation.|author=Thomas Rid|source=The Washington Post{{cite news |url=https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ |archive-url=https://web.archive.org/web/20201214201505/https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ |archive-date=December 14, 2020 |title=Russian hack was 'classic espionage' with stealthy, targeted tactics |date=December 14, 2020 |newspaper=The Washington Post|access-date=December 18, 2020 |url-status=live |first1=Craig |last1=Timberg |first2=Ellen |last2=Nakashima}}}}

The attackers used a supply chain attack.{{cite magazine|title=No One Knows How Deep Russia's Hacking Rampage Goes|url=https://www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury|url-status=live|archive-url=https://web.archive.org/web/20201217013054/https://www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury/|archive-date=December 17, 2020|access-date=December 16, 2020|magazine=Wired |first=Lily Hay |last=Newman |date=14 December 2020}} The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point. SolarWinds was using build management and continuous integration server TeamCity provided by the Czech company JetBrains. In 2021 The New York Times stated that unknown parties apparently embedded malware in JetBrains' software and through this way compromised also SolarWinds.{{Cite news |last1=Perlroth |first1=Nicole |last2=Sanger |first2=David E. |last3=Barnes |first3=Julian E. |date=2021-01-06 |title=Widely Used Software Company May Be Entry Point for Huge U.S. Hacking |language=en-US |work=The New York Times |url=https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html |access-date=2022-06-30 |issn=0362-4331 |archive-date=31 May 2021 |archive-url=https://web.archive.org/web/20210531152044/https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html |url-status=live }}

The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019.{{cite web | last=Sebastian | first=Dave | title=SolarWinds Discloses Earlier Evidence of Hack | website=WSJ | date=2021-01-12 | url=https://www.wsj.com/articles/solarwinds-discloses-earlier-evidence-of-hack-11610473937 | access-date=2021-01-13 | archive-date=June 7, 2021 | archive-url=https://web.archive.org/web/20210607055202/https://www.wsj.com/articles/solarwinds-discloses-earlier-evidence-of-hack-11610473937 | url-status=live }} In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion.{{Cite web|url=https://www.theregister.com/2020/12/20/solarwinds_update_trump_contradicts_pompeo_russia_attribution/|title=Trump administration says Russia behind SolarWinds hack. Trump himself begs to differ|first1=Simon|last1=Sharwood|website=The Register|date=20 December 2020|access-date=December 21, 2020|archive-date=February 1, 2021|archive-url=https://web.archive.org/web/20210201230341/https://www.theregister.com/2020/12/20/solarwinds_update_trump_contradicts_pompeo_russia_attribution/|url-status=live}} The first known modification, in October 2019, was merely a proof of concept. Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.

In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them.{{cite web|last=Lyons|first=Kim|date=December 13, 2020|title=Hackers backed by Russian government reportedly breached US government agencies|url=https://www.theverge.com/2020/12/13/22173035/hackers-russia-breached-us-government-agencies-email-cozy-bear|url-status=live|archive-url=https://web.archive.org/web/20201214190936/https://www.theverge.com/2020/12/13/22173035/hackers-russia-breached-us-government-agencies-email-cozy-bear|archive-date=December 14, 2020|access-date=December 15, 2020|website=The Verge}}{{cite press release|title=CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products|url=https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network|url-status=live|archive-url=https://web.archive.org/web/20201215035936/https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network|archive-date=December 15, 2020|access-date=December 15, 2020|publisher=CISA |date=13 December 2020}} These users included U.S. government customers in the executive branch, the military, and the intelligence services (see Impact section, below).{{cite web|title=U.S. Government Agencies Hit by Hackers During Software Update|url=https://www.msn.com/en-us/news/politics/u-s-government-agencies-hit-by-hackers-during-software-update/ar-BB1bTMl4|archive-url=https://web.archive.org/web/20201214051509/https://www.msn.com/en-us/news/politics/u-s-government-agencies-hit-by-hackers-during-software-update/ar-BB1bTMl4 |archive-date=December 14, 2020|access-date=December 14, 2020|publisher=MSN |url-status=dead |first1=Alyza |last1=Sebbenius |first2=Kartikay |last2=Mehrotra |first3=Michael |last3=Riley}} If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers.{{cite web|last=Cimpanu|first=Catalin|title=Microsoft and industry partners seize key domain used in SolarWinds hack|url=https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/|url-status=live|archive-url=https://web.archive.org/web/20201217003334/https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/|archive-date=December 17, 2020|access-date=December 17, 2020|publisher=ZDNet |date=15 December 2020}}{{cite web|title=DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries – Report|url=https://threatpost.com/dhs-sophisticated-cyberattack-foreign-adversaries/162242/|url-status=live|archive-url=https://web.archive.org/web/20201216200536/https://threatpost.com/dhs-sophisticated-cyberattack-foreign-adversaries/162242/|archive-date=December 16, 2020|access-date=December 17, 2020|website=Threat Post |first=Tara |last=Seals |date=14 December 2020}}{{cite news|last1=Timberg|first1=Craig|last2=Nakashima|first2=Ellen|date=December 16, 2020|title=Russians outsmart US government hacker detection system — but Moscow denies involvement|website=The Independent|url=https://www.independent.co.uk/news/world/americas/us-russia-hacking-cyber-security-b1774793.html|url-status=live|access-date=December 16, 2016|archive-url=https://web.archive.org/web/20201218062145/https://www.independent.co.uk/news/world/americas/us-russia-hacking-cyber-security-b1774793.html|archive-date=December 18, 2020}}{{cite web|date=December 16, 2020|title=SolarWinds: Why the Sunburst hack is so serious|url=https://www.bbc.com/news/technology-55321643|url-status=live|archive-url=https://web.archive.org/web/20201216221808/https://www.bbc.com/news/technology-55321643|archive-date=December 16, 2020|access-date=December 18, 2020|publisher=BBC |first=Joe |last=Tidy}} The communications were designed to mimic legitimate SolarWinds traffic.{{cite web|date=December 14, 2020|title=SolarWinds Orion and UNC2452 – Summary and Recommendations|url=https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/|url-status=live|archive-url=https://web.archive.org/web/20201215232939/https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/|archive-date=December 15, 2020|access-date=December 17, 2020|website=TrustedSec |first=Nick |last=Gilberti}} If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilize if they wished to exploit the system further.{{cite web|title=FireEye, Microsoft create kill switch for SolarWinds backdoor|url=https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/|url-status=live|archive-url=https://web.archive.org/web/20201217033942/https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/|archive-date=December 17, 2020|access-date=December 18, 2020|website=BleepingComputer |first=Lawrence |last=Abrams |date=16 December 2020}} The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.{{cite web|date=December 16, 2020|title=Trend data on the SolarWinds Orion compromise|url=https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/|url-status=live|archive-url=https://web.archive.org/web/20201216170227/https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/|archive-date=December 16, 2020|access-date=December 16, 2020|website=The Cloudflare Blog |first1=Malavika Balachandran |last1=TTadeusz |first2=Jesse |last2=Kipp}}

The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets. Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components,{{cite web|date=December 14, 2020|title=After high profile hacks hit federal agencies, CISA demands drastic SolarWinds mitigation|url=https://www.scmagazine.com/home/security-news/apts-cyberespionage/disconnect-or-power-down-after-high-profile-hacks-cisa-demands-drastic-solarwinds-mitigation/|url-status=live|archive-url=https://web.archive.org/web/20201215070401/https://www.scmagazine.com/home/security-news/apts-cyberespionage/disconnect-or-power-down-after-high-profile-hacks-cisa-demands-drastic-solarwinds-mitigation/|archive-date=December 15, 2020|access-date=December 17, 2020|website=SC Media |first=Joe |last=Uchill}} and seeking additional access. Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents.{{cite web|date=December 17, 2020|title=Mitigating Cloud Supply-chain Risk: Office 365 and Azure Exploited in Massive U.S Government Hack|url=https://securityboulevard.com/2020/12/mitigating-cloud-supply-chain-risk-office-365-and-azure-exploited-in-massive-u-s-government-hack/|url-status=live|access-date=24 March 2023|first=Matt|last=Hines|publisher=CipherCloud|archive-date=August 28, 2021|archive-url=https://web.archive.org/web/20210828135503/https://securityboulevard.com/2020/12/mitigating-cloud-supply-chain-risk-office-365-and-azure-exploited-in-massive-u-s-government-hack/}} This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory. Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network.{{cite web|last=Dorfman|first=Zach|title=What we know about Russia's sprawling hack into federal agencies|url=https://www.axios.com/russias-sprawling-hack-of-federal-agencies-alarms-43a9f6f7-5d85-49a6-828b-8371129c276e.html|url-status=live|archive-url=https://web.archive.org/web/20201215111038/https://www.axios.com/russias-sprawling-hack-of-federal-agencies-alarms-43a9f6f7-5d85-49a6-828b-8371129c276e.html|archive-date=December 15, 2020|access-date=December 16, 2020|website=Axios|date=December 15, 2020 }}{{cite news |last1=Miller |first1=Maggie |title=Schiff calls for 'urgent' work to defend nation in the wake of massive cyberattack |url=https://thehill.com/policy/cybersecurity/530562-schiff-calls-for-urgent-work-to-defend-nation-in-the-wake-of-massive/ |access-date=24 March 2023 |work=The Hill |date=16 December 2020 |archive-date=January 16, 2023 |archive-url=https://web.archive.org/web/20230116081408/https://thehill.com/policy/cybersecurity/530562-schiff-calls-for-urgent-work-to-defend-nation-in-the-wake-of-massive/ |url-status=live }} Having accessed data of interest, they encrypted and exfiltrated it.

The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others.{{cite web|title=Unraveling Network Infrastructure Linked to the SolarWinds Hack|url=https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack|url-status=live|archive-url=https://web.archive.org/web/20201217173553/https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack|archive-date=December 17, 2020|access-date=December 17, 2020|website=DomainTools|date=December 14, 2020 }} By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security (DHS).{{cite news |last1=Timberg |first1=Craig |last2=Nakashima |first2=Ellen |title=The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it. |url=https://www.washingtonpost.com/national-security/ruusian-hackers-outsmarted-us-defenses/2020/12/15/3deed840-3f11-11eb-9453-fc36ba051781_story.html |access-date=24 March 2023 |newspaper=The Washington Post |archive-date=December 29, 2022 |archive-url=https://web.archive.org/web/20221229144433/https://www.washingtonpost.com/national-security/ruusian-hackers-outsmarted-us-defenses/2020/12/15/3deed840-3f11-11eb-9453-fc36ba051781_story.html |url-status=live }}

FBI investigators in February 2021 found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.{{Cite news|last=Menn|first=Christopher Bing, Jack Stubbs, Raphael Satter, Joseph|date=2021-02-03|title=Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources|language=en|work=Reuters|url=https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive-idUSKBN2A22K8|access-date=2021-02-08|archive-date=May 5, 2021|archive-url=https://web.archive.org/web/20210505133732/https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive-idUSKBN2A22K8|url-status=live}}

{{blockquote|If you think about data that is only available to the CEO, or data that is only available to IT services, [the attacker would get] all of this data.|author=Sami Ruohonen|source=F-Secure}}

The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.

In another supply chain attack, at least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.

Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached.{{cite web|url=https://www.cyberscoop.com/cisa-netlogon-microsoft-vulnerability-emergency/|title=CISA orders agencies to quickly patch critical Netlogon bug|date=September 21, 2020|website=CyberScoop|access-date=December 18, 2020|archive-date=October 30, 2020|archive-url=https://web.archive.org/web/20201030201359/https://www.cyberscoop.com/cisa-netlogon-microsoft-vulnerability-emergency/|url-status=live |first=Sean |last=Lyngaas}} This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.

Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.

Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months.{{cite news |date=December 13, 2020 |title=Russian government hackers behind breach at US treasury and commerce departments |website=The Independent |url=https://www.independent.co.uk/news/world/americas/us-politics/us-treasury-hackers-breach-trump-russia-b1772639.html |url-status=live |access-date=December 14, 2020 |archive-url=https://web.archive.org/web/20201213233930/https://www.independent.co.uk/news/world/americas/us-politics/us-treasury-hackers-breach-trump-russia-b1772639.html |archive-date=December 13, 2020 |first=Graeme |last=Massie |location=Los Angeles}} This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems.{{cite web|url=https://news.sky.com/story/foreign-government-hacked-into-us-treasury-departments-emails-reports-12160763|title=Foreign government hacked into US Treasury Department's emails – reports|publisher=Sky News|access-date=December 14, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214032244/https://news.sky.com/story/foreign-government-hacked-into-us-treasury-departments-emails-reports-12160763|url-status=live}} The presence of single sign-on infrastructure increased the viability of the attack.

Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers.{{cite news |url=https://www.bloomberg.com/news/articles/2020-12-18/vmware-falls-on-report-its-software-led-to-solarwinds-breach |title=VMware Falls on Report Its Software Led to SolarWinds Breach |newspaper=Bloomberg.com |date=December 18, 2020 |access-date=December 18, 2020 |first1=Dina |last1=Bass |first2=Jeran |last2=Wittenstein |archive-date=March 26, 2021 |archive-url=https://web.archive.org/web/20210326140153/https://www.bloomberg.com/news/articles/2020-12-18/vmware-falls-on-report-its-software-led-to-solarwinds-breach |url-status=live }} As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.

On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker.{{cite web |last1=Fireeye |title=Unauthorized Access of FireEye Red Team Tools |url=https://www.mandiant.com/resources/blog/unauthorized-access-of-fireeye-red-team-tools |website=Mandiant Blog |publisher=Fireeye (Mandiant) |access-date=18 September 2023}}{{cite web|title=Hackers backed by foreign government reportedly steal info from US Treasury|url=https://www.timesofisrael.com/hackers-backed-by-foreign-government-reportedly-steal-info-from-us-treasury/|url-status=live|archive-url=https://web.archive.org/web/20201214031245/https://www.timesofisrael.com/hackers-backed-by-foreign-government-reportedly-steal-info-from-us-treasury/|archive-date=December 14, 2020|access-date=December 14, 2020|website=The Times of Israel |date=13 December 2020}}{{cite news|last1=Sanger|first1=David E.|last2=Perlroth|first2=Nicole|date=December 8, 2020|title=FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State|work=The New York Times|url=https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html|url-status=live|access-date=December 15, 2020|archive-url=https://web.archive.org/web/20201215184304/https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html|archive-date=December 15, 2020}}{{cite web|date=December 9, 2020|title=US cybersecurity firm FireEye says it was hacked by foreign government|url=http://www.theguardian.com/technology/2020/dec/08/fireeye-hack-cybersecurity-theft|url-status=live|archive-url=https://web.archive.org/web/20201216014233/https://www.theguardian.com/technology/2020/dec/08/fireeye-hack-cybersecurity-theft|archive-date=December 16, 2020|access-date=December 15, 2020|website=The Guardian}} FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service.{{cite web|title=Federal government breached by Russian hackers who targeted FireEye|url=https://www.nbcnews.com/news/us-news/russian-hackers-breach-u-s-government-effort-aimed-agencies-private-n1251057|url-status=live|archive-url=https://web.archive.org/web/20201214024737/https://www.nbcnews.com/news/us-news/russian-hackers-breach-u-s-government-effort-aimed-agencies-private-n1251057|archive-date=December 14, 2020|access-date=December 14, 2020|work=NBC News|date=December 14, 2020 }}{{cite magazine|title=Russia's FireEye Hack Is a Statement—but Not a Catastrophe|url=https://www.wired.com/story/russia-fireeye-hack-statement-not-catastrophe/|url-status=live|archive-url=https://web.archive.org/web/20201216000225/https://www.wired.com/story/russia-fireeye-hack-statement-not-catastrophe/|archive-date=December 16, 2020|access-date=December 17, 2020|magazine=Wired |first=Lily Hay |last=Newman |date=8 December 2020}} FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.{{cite web|date=December 15, 2020|title=Suspected Russia SolarWinds hack exposed after FireEye cybersecurity firm found "backdoor"|url=https://www.newsweek.com/solarwinds-russia-hack-cyberattack-fireeye-software-malware-backdoor-cybersecurity-1554730|url-status=live|archive-url=https://web.archive.org/web/20201216043909/https://www.newsweek.com/solarwinds-russia-hack-cyberattack-fireeye-software-malware-backdoor-cybersecurity-1554730|archive-date=December 16, 2020|access-date=December 16, 2020|website=Newsweek |first=Jason |last=Murdock}}{{cite web|date=December 13, 2020|title=Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor|url=https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html|url-status=live|archive-url=https://web.archive.org/web/20201215110129/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html|archive-date=December 15, 2020|access-date=December 15, 2020|website=FireEye}}

After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks. The NSA is not known to have been aware of the attack before being notified by FireEye. The NSA uses SolarWinds software itself.

Some days later, on December 13, when breaches at the Treasury and Department of Commerce were publicly confirmed to exist, sources said that the FireEye breach was related. On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.{{cite web|last=Paul|first=Kari|date=December 15, 2020|title=What you need to know about the biggest hack of the US government in years|url=https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department|url-status=live|archive-url=https://web.archive.org/web/20201216090102/https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department|archive-date=December 16, 2020|access-date=December 16, 2020|work=The Guardian}}

The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020. FireEye named the malware SUNBURST.{{cite web|date=December 14, 2020|title=Microsoft, FireEye confirm SolarWinds supply chain attack|url=https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/|url-status=live|archive-url=https://web.archive.org/web/20201216173348/https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/|archive-date=December 16, 2020|access-date=December 16, 2020|publisher=ZDNet |first=Catalin |last=Cimpanu}}{{cite web|date=December 16, 2020|title=Sunburst Trojan – What You Need to Know|url=https://www.deepinstinct.com/2020/12/16/sunburst-trojan-what-you-need-to-know/|url-status=live|archive-url=https://web.archive.org/web/20201218062210/https://www.deepinstinct.com/2020/12/16/sunburst-trojan-what-you-need-to-know/|archive-date=December 18, 2020|access-date=December 17, 2020|website=Deep Instinct |first=Bar |last=Block}} Microsoft called it Solorigate. The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.{{cite web | last=Cimpanu | first=Catalin | title=Third malware strain discovered in SolarWinds supply chain attack | website=ZDNet | date=2021-01-12 | url=https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/ | access-date=2021-01-13 | archive-date=March 18, 2021 | archive-url=https://web.archive.org/web/20210318190718/https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/ | url-status=live }}{{cite web | last=Gatlan | first=Sergiu | title=New Sunspot malware found while investigating SolarWinds hack | website=BleepingComputer | date=2021-01-12 | url=https://www.bleepingcomputer.com/news/security/new-sunspot-malware-found-while-investigating-solarwinds-hack/ | access-date=2021-01-13 | archive-date=May 29, 2021 | archive-url=https://web.archive.org/web/20210529185400/https://www.bleepingcomputer.com/news/security/new-sunspot-malware-found-while-investigating-solarwinds-hack/ | url-status=live }}{{cite web | last=Corfield | first=Gareth | title=SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there – report | website=The Register | date=2021-01-12 | url=https://www.theregister.com/2021/01/12/solarwinds_tech_analysis_crowdstrike/ | access-date=2021-01-13 | archive-date=March 2, 2021 | archive-url=https://web.archive.org/web/20210302073707/https://www.theregister.com/2021/01/12/solarwinds_tech_analysis_crowdstrike/ | url-status=live }}

Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.

July 2021 analysis published by the Google Threat Analysis Group found that a "likely Russian government-backed actor" exploited a zero-day vulnerability in fully-updated iPhones to steal authentication credentials by sending messages to government officials on LinkedIn.{{Cite web|url=https://arstechnica.com/gadgets/2021/07/solarwinds-hackers-used-an-ios-0-day-to-steal-google-and-microsoft-credentials/|title=iOS zero-day let SolarWinds hackers compromise fully updated iPhones|first=Dan|last=Goodin|date=July 14, 2021|website=Ars Technica|access-date=July 15, 2021|archive-date=July 15, 2021|archive-url=https://web.archive.org/web/20210715190950/https://arstechnica.com/gadgets/2021/07/solarwinds-hackers-used-an-ios-0-day-to-steal-google-and-microsoft-credentials/|url-status=live}}

During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed.{{cite web |url=https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ |title=Dark Halo Leverages SolarWinds Compromise to Breach Organizations |publisher=Volexity |first1=Damien |last1=Cash |first2=Matthew |last2=Meltzer |first3=Sean |last3=Koessel |first4=Steven |last4=Adair |first5=Thomas |last5=Lancaster |date=14 December 2020 |access-date=December 18, 2020 |archive-date=May 31, 2021 |archive-url=https://web.archive.org/web/20210531210132/https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ |url-status=live }} The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication. Later, in June and July 2020, Volexity observed the attacker utilizing the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals. Volexity said it was not able to identify the attacker.

Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to CrowdStrike. That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email.{{Cite web|url=https://www.cyberscoop.com/crowdstrike-solarwinds-targeted-microsoft/|title=Microsoft alerts CrowdStrike of hackers' attempted break-in|date=December 24, 2020|website=CyberScoop|first=Shannon|last=Vavra|access-date=December 25, 2020|archive-date=January 4, 2021|archive-url=https://web.archive.org/web/20210104121515/https://www.cyberscoop.com/crowdstrike-solarwinds-targeted-microsoft/|url-status=live}}

Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol. This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised.{{cite web|url=https://us-cert.cisa.gov/ncas/alerts/aa20-296a|title=Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets|publisher=CISA|date=1 December 2020|access-date=December 18, 2020|archive-date=May 20, 2021|archive-url=https://web.archive.org/web/20210520172150/https://us-cert.cisa.gov/ncas/alerts/aa20-296a|url-status=live}} Using VirusTotal, The Intercept discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of Austin, Texas.

Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager. VMware released patches on December 3, 2020. On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.{{cite web|date=2020-12-07|access-date=2020-12-19|url=https://arstechnica.com/information-technology/2020/12/nsa-says-russian-state-hackers-are-using-a-vmware-flaw-to-ransack-networks/|title=NSA says Russian state hackers are using a VMware flaw to ransack networks|first=Dan|last=Goodin|work=Ars Technica|archive-date=April 21, 2021|archive-url=https://web.archive.org/web/20210421031602/https://arstechnica.com/information-technology/2020/12/nsa-says-russian-state-hackers-are-using-a-vmware-flaw-to-ransack-networks/|url-status=live}}

SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation.{{cite web|url=https://www.chron.com/news/article/Explainer-How-bad-is-the-hack-that-targeted-US-15800740.php|title=EXPLAINER: How bad is the hack that targeted US agencies?|first1=Matt|last1=O'Brien|first2=Frank|last2=Bajak|date=December 15, 2020|website=Houston Chronicle|access-date=December 15, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214232009/https://www.chron.com/news/article/Explainer-How-bad-is-the-hack-that-targeted-US-15800740.php|url-status=live}} Russian-sponsored hackers were suspected to be responsible.{{cite web|url=https://www.japantimes.co.jp/news/2020/12/14/world/us-treasury-hack/|title=Russian-sponsored hackers behind broad security breach of U.S. agencies: sources|first=Christopher|last=Bing|date=December 14, 2020|website=The Japan Times|access-date=December 14, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214010144/https://www.japantimes.co.jp/news/2020/12/14/world/us-treasury-hack/|url-status=live}}{{cite news|url=https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive-idUSKBN28N0PG|title=Suspected Russian hackers spied on U.S. Treasury emails – sources|first=Christopher|last=Bing|date=December 14, 2020|work=Reuters|access-date=December 14, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214025738/https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive-idUSKBN28N0PG|url-status=live}} U.S. officials stated that the specific groups responsible were probably the SVR or Cozy Bear (also known as APT29).{{cite news |archive-url=https://web.archive.org/web/20201213220635/https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html |archive-date=December 13, 2020| url=https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html |title=Russian government spies are behind a broad hacking campaign that has breached U.S. agencies and a top cyber firm |last=Nakashima |first=Ellen |date= December 13, 2020|newspaper=The Washington Post|access-date=December 14, 2020}} FireEye gave the suspects the placeholder name "UNC2452";{{cite web|url=https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/|title=~18,000 organizations downloaded backdoor planted by Cozy Bear hackers|first=Dan|last=Goodin|date=December 14, 2020|website=Ars Technica|access-date=December 17, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216194610/https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/|url-status=live}} incident response firm Volexity called them "Dark Halo".{{cite web|url=https://www.securityweek.com/group-behind-solarwinds-hack-bypassed-mfa-access-emails-us-think-tank|title=Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank|website=SecurityWeek.com|access-date=December 17, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216144033/https://www.securityweek.com/group-behind-solarwinds-hack-bypassed-mfa-access-emails-us-think-tank|url-status=live |date=15 December 2020 |first=Eduard |last=Kovacs}} On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR.{{Cite web|url=https://defensesystems.com/articles/2020/12/23/solarwinds-hack-impact.aspx|title=50 orgs 'genuinely impacted' by SolarWinds hack, FireEye chief says|first1=Justin|last1=Katz|date=2020-12-23|website=Defense Systems|access-date=December 23, 2020|archive-date=March 9, 2021|archive-url=https://web.archive.org/web/20210309210803/https://defensesystems.com/articles/2020/12/23/solarwinds-hack-impact.aspx|url-status=dead}} One security researcher offers the likely operational date, February 27, 2020, with a significant change of aspect on October 30, 2020.{{cite web |last1=Slowik |first1=Joe |title=Unraveling Network Infrastructure Linked to the SolarWinds Hack |url=https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack/ |website=DomainTools |access-date=24 March 2023 |date=14 December 2020 |archive-date=December 6, 2022 |archive-url=https://web.archive.org/web/20221206044010/https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack/ |url-status=live }}

In January 2021, cybersecurity firm Kaspersky said SUNBURST resembles the malware Kazuar, which is believed to have been created by Turla,{{cite web | title=SolarWinds malware has "curious" ties to Russian-speaking hackers | website=Ars Technica | date=2021-01-11 | url=https://arstechnica.com/information-technology/2021/01/solarwinds-malware-has-curious-ties-to-russian-speaking-hackers/ | access-date=2021-01-13 | first=Dan | last=Goodin | archive-date=April 6, 2021 | archive-url=https://web.archive.org/web/20210406201740/https://arstechnica.com/information-technology/2021/01/solarwinds-malware-has-curious-ties-to-russian-speaking-hackers/ | url-status=live }}{{cite web | last=Corfield | first=Gareth | title=Kaspersky Lab autopsies evidence on SolarWinds hack | website=The Register | date=2021-01-12 | url=https://www.theregister.com/2021/01/12/solarwinds_russia_kaspersky/ | access-date=2021-01-13 | archive-date=May 18, 2021 | archive-url=https://web.archive.org/web/20210518193533/https://www.theregister.com/2021/01/12/solarwinds_russia_kaspersky/ | url-status=live }}{{cite magazine | last=Greenberg | first=Andy | title=SolarWinds Hackers Shared Tricks With Known Russian Cyberspies | magazine=Wired | url=https://www.wired.com/story/solarwinds-russia-hackers-turla-malware/ | access-date=2021-01-13 | date=2021-01-11 | archive-date=March 5, 2021 | archive-url=https://web.archive.org/web/20210305044241/https://www.wired.com/story/solarwinds-russia-hackers-turla-malware/ | url-status=live }} a group known from 2008 that Estonian intelligence previously linked it to the Russian federal security service, FSB.{{cite web | last=Roth | first=Andrew | title=Global cyber-espionage campaign linked to Russian spying tools | website=The Guardian | date=2021-01-11 | url=http://www.theguardian.com/world/2021/jan/11/solarwinds-hack-russian-spying-tools-hackers-malware-fsb | access-date=2021-01-13 | archive-date=April 13, 2021 | archive-url=https://web.archive.org/web/20210413142357/https://www.theguardian.com/world/2021/jan/11/solarwinds-hack-russian-spying-tools-hackers-malware-fsb | url-status=live }}{{Cite web|last=Castronuovo|first=Celine|date=2021-02-02|title=US payroll agency targeted by Chinese hackers: report|url=https://thehill.com/policy/cybersecurity/537067-us-payroll-agency-targeted-by-chinese-hackers-report|access-date=2021-02-10|website=TheHill|language=en|archive-date=February 12, 2021|archive-url=https://web.archive.org/web/20210212154115/https://thehill.com/policy/cybersecurity/537067-us-payroll-agency-targeted-by-chinese-hackers-report|url-status=live}}

On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB.

On December 18, U.S. Secretary of State Mike Pompeo said Russia was "pretty clearly" responsible for the cyber attack.{{Cite web|date=December 19, 2020|title=Trump downplays government hack after Pompeo blames it on Russia|url=http://www.theguardian.com/us-news/2020/dec/19/mike-pompeo-we-can-say-pretty-clearly-russia-behind-hack-us-agencies|website=The Guardian|first=Martin|last=Pengelly|location=New York|access-date=December 19, 2020|archive-date=March 8, 2021|archive-url=https://web.archive.org/web/20210308003557/https://www.theguardian.com/us-news/2020/dec/19/mike-pompeo-we-can-say-pretty-clearly-russia-behind-hack-us-agencies|url-status=live}}{{Cite web|last=Byrnes|first=Jesse|date=December 19, 2020|title=Pompeo: Russia 'pretty clearly' behind massive cyberattack|url=https://thehill.com/homenews/administration/530962-pompeo-russia-pretty-clearly-behind-massive-cyberattack|website=The Hill|access-date=December 19, 2020|archive-date=March 2, 2021|archive-url=https://web.archive.org/web/20210302064712/https://thehill.com/homenews/administration/530962-pompeo-russia-pretty-clearly-behind-massive-cyberattack|url-status=live}}{{Cite web|date=December 19, 2020|title=Trump downplays massive US cyberattack, points to China|url=https://www.dw.com/en/trump-downplays-massive-us-cyberattack-points-to-china/a-55996519|work=Deutsche Welle|access-date=December 19, 2020|archive-date=March 3, 2021|archive-url=https://web.archive.org/web/20210303031911/https://www.dw.com/en/trump-downplays-massive-us-cyberattack-points-to-china/a-55996519|url-status=live}}

On December 19, U.S. president Donald Trump publicly addressed the attacks for the first time, downplaying its severity and suggesting without evidence that China, rather than Russia, might be responsible.{{Cite web|last=Axelrod|first=Tal|date=December 19, 2020|title=Trump downplays impact of hack, questions whether Russia involved|url=https://thehill.com/homenews/administration/530982-trump-downplays-impact-of-government-hack-in-first-public-remarks|website=The Hill|quote=“The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),” Trump tweeted.|access-date=December 19, 2020|archive-date=April 26, 2021|archive-url=https://web.archive.org/web/20210426024024/https://thehill.com/homenews/administration/530982-trump-downplays-impact-of-government-hack-in-first-public-remarks|url-status=live}}{{Cite web|last1=Stracqualursi|first1=Veronica|last2=Liptak|first2=Kevin|last3=Hansler|first3=Jennifer|date=19 December 2020|title=Trump downplays massive cyber hack on government after Pompeo links attack to Russia|url=https://www.cnn.com/2020/12/19/politics/pompeo-us-government-hack-russia/index.html|access-date=19 December 2020|website=CNN|archive-date=May 13, 2021|archive-url=https://web.archive.org/web/20210513100934/https://www.cnn.com/2020/12/19/politics/pompeo-us-government-hack-russia/index.html|url-status=live}} The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."{{Cite news|url=https://www.bbc.com/news/world-us-canada-55386947|title=US cyber-attack: Around 50 firms 'genuinely impacted' by massive breach|work=BBC News|date=December 20, 2020|access-date=December 21, 2020|archive-date=March 11, 2021|archive-url=https://web.archive.org/web/20210311010606/https://www.bbc.com/news/world-us-canada-55386947|url-status=live}}

On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia."{{Cite web|url=https://www.latimes.com/world-nation/story/2020-12-20/lawmakers-experts-baffled-trump-brushes-off-suspected-russian-hack|title=Trump finds himself isolated in refusal to blame Russia for big cyberattack|date=December 20, 2020|website=Los Angeles Times|access-date=December 21, 2020|first1=Laura|last1=King|first2=Del Quentin|last2=Wilber|archive-date=February 22, 2021|archive-url=https://web.archive.org/web/20210222194616/https://www.latimes.com/world-nation/story/2020-12-20/lawmakers-experts-baffled-trump-brushes-off-suspected-russian-hack|url-status=live}}

On December 21, 2020, former Attorney General William Barr said that he agreed with Pompeo's assessment of the origin of the cyberhack and that it "certainly appears to be the Russians," contradicting Trump.{{cite web|last1=Janfaza|first1=Rachel|title=Barr contradicts Trump by saying it 'certainly appears' Russia behind cyberattack|url=https://edition.cnn.com/2020/12/21/politics/william-barr-russia-cyberattack/index.html|website=cnn.com|publisher=CNN|access-date=26 December 2020|date=21 December 2020|archive-date=January 2, 2021|archive-url=https://web.archive.org/web/20210102073855/https://edition.cnn.com/2020/12/21/politics/william-barr-russia-cyberattack/index.html|url-status=live}}{{cite web |last1=Wilkie |first1=Christina |title=Attorney General Barr breaks with Trump, says SolarWinds hack 'certainly appears to be the Russians' |url=https://www.cnbc.com/2020/12/21/barr-says-solarwinds-hack-certainly-appears-to-be-the-russians-.html |website=CNBC |publisher=NBCUniversal News Group |access-date=22 December 2020 |ref=CNBC "Attorney General Barr breaks with Trump, says SolarWinds hack ‘certainly appears to be the Russians’" |language=en |date=21 December 2020 |archive-date=April 12, 2021 |archive-url=https://web.archive.org/web/20210412065610/https://www.cnbc.com/2020/12/21/barr-says-solarwinds-hack-certainly-appears-to-be-the-russians-.html |url-status=live }}

On January 5, 2021, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence, all confirmed that they believe Russia was the most likely culprit.{{cite web | title=US: Hack of Federal Agencies 'Likely Russian in Origin' | website=SecurityWeek | date=2021-01-05 | url=https://www.securityweek.com/us-hack-federal-agencies-likely-russian-origin | access-date=2021-01-13 | agency=Associated Press | archive-date=February 11, 2021 | archive-url=https://web.archive.org/web/20210211135215/https://www.securityweek.com/us-hack-federal-agencies-likely-russian-origin | url-status=live }}{{Cite web|url=https://arstechnica.com/tech-policy/2021/01/feds-say-that-russia-was-likely-behind-months-long-hack-of-us-agencies/|title=Bucking Trump, NSA and FBI say Russia was "likely" behind SolarWinds hack|first=Dan|last=Goodin|date=January 6, 2021|website=Ars Technica|access-date=January 11, 2021|archive-date=February 7, 2021|archive-url=https://web.archive.org/web/20210207185808/https://arstechnica.com/tech-policy/2021/01/feds-say-that-russia-was-likely-behind-months-long-hack-of-us-agencies/|url-status=live}}{{cite web | title=Russians are 'likely' perpetrators of US government hack, official report says | website=The Guardian | date=2021-01-05 | url=http://www.theguardian.com/technology/2021/jan/05/russians-likely-perpetrators-us-government-hack | access-date=2021-01-13 | agency=Reuters | archive-date=April 13, 2021 | archive-url=https://web.archive.org/web/20210413142400/https://www.theguardian.com/technology/2021/jan/05/russians-likely-perpetrators-us-government-hack | url-status=live }} On June 10, 2021, FBI Director Christopher Wray attributed the attack to Russia's SVR specifically.{{cite web |url=https://www.fbi.gov/news/testimony/oversight-of-the-federal-bureau-of-investigation-061021 |title=Oversight of the Federal Bureau of Investigation |website=fbi.gov |publisher=Federal Bureau of Investigation |access-date=June 11, 2021 |archive-date=June 10, 2021 |archive-url=https://web.archive.org/web/20210610173806/https://www.fbi.gov/news/testimony/oversight-of-the-federal-bureau-of-investigation-061021 |url-status=live }}

The Russian government said that it was not involved.

The Chinese foreign ministry said in a statement, "China resolutely opposes and combats any form of cyberattacks and cyber theft."

SolarWinds said that of its 300,000 customers, 33,000 use Orion. Of these, around 18,000 government and private users downloaded compromised versions.{{cite web|url=https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/|title=SEC filings: SolarWinds says 18,000 customers were impacted by recent hack|first=Catalin|last=Cimpanu|publisher=ZDNet|access-date=December 15, 2020|archive-date=December 15, 2020|archive-url=https://web.archive.org/web/20201215101510/https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/|url-status=live |date=14 December 2020}}

Discovery of the breaches at the U.S. Treasury and Commerce Departments immediately raised concerns that the attackers would attempt to breach other departments, or had already done so.{{cite web|url=http://www.theguardian.com/technology/2020/dec/13/us-treasury-hacked-group-backed-by-foreign-government-report|title=US treasury hacked by foreign government group – report|date=December 13, 2020|website=The Guardian|access-date=December 14, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214030019/https://www.theguardian.com/technology/2020/dec/13/us-treasury-hacked-group-backed-by-foreign-government-report|url-status=live |agency=Reuters}}{{cite news|url=https://www.reuters.com/article/usa-cyber-treasury-idUSL1N2IT0I8|title=REFILE-EXCLUSIVE-U.S. Treasury breached by hackers backed by foreign government – sources|first=Christopher|last=Bing|date=December 13, 2020|work=Reuters|access-date=December 14, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214024713/https://www.reuters.com/article/usa-cyber-treasury-idUSL1N2IT0I8|url-status=live}} Further investigation proved these concerns to be well-founded. Within days, additional federal departments were found to have been breached.{{cite web|url=https://talkingpointsmemo.com/news/report-massive-russian-hack-effort-breached-dhs-state-department-and-nih|title=Report: Massive Russian Hack Effort Breached DHS, State Department And NIH|first=Zoë|last=Richards|date=December 15, 2020|website=Talking Points Memo|access-date=December 17, 2020|archive-date=December 15, 2020|archive-url=https://web.archive.org/web/20201215155700/https://talkingpointsmemo.com/news/report-massive-russian-hack-effort-breached-dhs-state-department-and-nih|url-status=live}} Reuters quoted an anonymous U.S. government source as saying: “This is a much bigger story than one single agency. This is a huge cyber espionage campaign targeting the U.S. government and its interests.”

Compromised versions were known to have been downloaded by the Centers for Disease Control and Prevention, the Justice Department, and some utility companies. Other prominent U.S. organizations known to use SolarWinds products, though not necessarily Orion, were the Los Alamos National Laboratory, Boeing, and most Fortune 500 companies.{{cite web|url=https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12|title=These big firms and US agencies all use software from the company breached in a massive hack being blamed on Russia|first1=Mia|last1=Jankowicz|first2=Charles|last2=Davis|website=Business Insider|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216135705/https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12|url-status=live |date=14 December 2020}} Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office, National Health Service, and signals intelligence agencies; the North Atlantic Treaty Organization (NATO); the European Parliament; and likely AstraZeneca. FireEye said that additional government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East may also have been affected.

Through a manipulation of software keys, the hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on economic sanctions and interactions with the Federal Reserve.{{Cite web|url=https://www.nytimes.com/2020/12/21/us/politics/russia-hack-treasury.html|title=Treasury Department's Senior Leaders Were Targeted by Hacking|first1=David E.|last1=Sanger|first2=Alan|last2=Rappeport|date=December 22, 2020|newspaper=New York Times|access-date=December 23, 2020|archive-date=March 28, 2021|archive-url=https://web.archive.org/web/20210328131812/https://www.nytimes.com/2020/12/21/us/politics/russia-hack-treasury.html|url-status=live}}

Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted. These investigations were complicated by: the fact that the attackers had in some cases removed evidence; the need to maintain separate secure networks as organizations' main networks were assumed to be compromised; and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks. As of mid-December 2020, those investigations were ongoing.

As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used.{{cite news|url=https://www.independent.co.uk/news/hack-may-have-exposed-deep-us-secrets-damage-yet-unknown-hackers-hackers-donald-trump-government-us-b1774648.html|title=Hack may have exposed deep US secrets; damage yet unknown|date=December 15, 2020|website=The Independent|access-date=December 16, 2020|archive-date=December 18, 2020|archive-url=https://web.archive.org/web/20201218062211/https://www.independent.co.uk/news/hack-may-have-exposed-deep-us-secrets-damage-yet-unknown-hackers-hackers-donald-trump-government-us-b1774648.html|url-status=live |agency=Associated Press}} Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come.{{cite web|url=https://www.theregister.com/2020/12/15/solar_winds_update/|title=SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks|first=Kieren|last=McCarthy|website=The Register|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216222506/https://www.theregister.com/2020/12/15/solar_winds_update/|url-status=live |date=15 December 2020}}{{cite web|url=https://apnews.com/article/us-agencies-hacked-global-cyberspying-328b4936f2535418b27cb90afa858489|title=US agencies, companies secure networks after huge hack|date=December 14, 2020|website=AP NEWS|access-date=December 16, 2020|archive-date=December 18, 2020|archive-url=https://web.archive.org/web/20201218062233/https://apnews.com/article/us-agencies-hacked-global-cyberspying-328b4936f2535418b27cb90afa858489|url-status=live |first1=Ben |last1=Fox |first2=Frank |last2=Bajak}} Possible future uses could include attacks on hard targets like the CIA and NSA,{{How|date=December 2020|title=How would stolen data be used to "attack" CIA and NSA? What does attack mean? Why CIA and NSA?}} or using blackmail to recruit spies.{{cite web|url=https://www.theguardian.com/technology/2020/dec/16/us-institutional-secrets-exposed-hack-russia|title=Deep US institutional secrets may have been exposed in hack blamed on Russia|date=December 16, 2020|work=The Guardian|access-date=December 17, 2020|archive-date=December 17, 2020|archive-url=https://web.archive.org/web/20201217173005/https://www.theguardian.com/technology/2020/dec/16/us-institutional-secrets-exposed-hack-russia|url-status=live}} Cyberconflict professor Thomas Rid said the stolen data would have myriad uses. He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the Washington Monument.

Even where data was not exfiltrated, the impact was significant.{{cite web|url=https://www.scmagazine.com/home/security-news/here-are-the-critical-responses-required-of-all-businesses-after-solarwinds-supply-chain-hack/|title=Here are the critical responses required of all businesses after SolarWinds supply-chain hack|website=SC Media|date=December 15, 2020|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216143142/https://www.scmagazine.com/home/security-news/here-are-the-critical-responses-required-of-all-businesses-after-solarwinds-supply-chain-hack/|url-status=live |first=Bradley |last=Barth}} The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset.{{cite web|url=https://cyber.dhs.gov/ed/21-01/|title=Emergency Directive 21-01|website=cyber.dhs.gov|date=December 13, 2020 |access-date=December 15, 2020|archive-date=December 15, 2020|archive-url=https://web.archive.org/web/20201215153142/https://cyber.dhs.gov/ed/21-01/|url-status=live}} Anti-malware companies additionally advised searching log files for specific indicators of compromise.{{cite web|url=https://www.technologyreview.com/2020/12/15/1014462/how-russian-hackers-infiltrated-the-us-government-for-months-without-being-spotted/|title=How Russian hackers infiltrated the US government for months without being spotted|website=MIT Technology Review|access-date=December 17, 2020|archive-date=December 18, 2020|archive-url=https://web.archive.org/web/20201218062222/https://www.technologyreview.com/2020/12/15/1014462/how-russian-hackers-infiltrated-the-us-government-for-months-without-being-spotted/|url-status=live |first=Patrick Howell |last=O'Neill |date=15 December 2020}}{{cite web|url=https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/|title=SolarWinds advanced cyberattack: What happened and what to do now|date=December 14, 2020|website=Malwarebytes Labs|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216164030/https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/|url-status=live}}{{cite web|url=https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html|title=Overview of Recent Sunburst Targeted Attacks|website=Trend Micro|date=December 15, 2020|access-date=December 18, 2020|archive-date=December 15, 2020|archive-url=https://web.archive.org/web/20201215170319/https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html|url-status=live}}

However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review.{{cite web |url=https://www.bloomberg.com/news/articles/2020-12-18/hackers-lurking-in-networks-for-months-snarl-solarwinds-probes |title=Hackers' Monthslong Head Start Hamstrings Probe of U.S. Breach |publisher=Bloomberg |date=December 18, 2020 |access-date=December 18, 2020 |first1=Jordan |last1=Robertson |first2=Kartikay |last2=Mehrotra |first3=William |last3=Turton |url-access=subscription |archive-date=April 19, 2021 |archive-url=https://web.archive.org/web/20210419141606/https://www.bloomberg.com/news/articles/2020-12-18/hackers-lurking-in-networks-for-months-snarl-solarwinds-probes |url-status=live }} Former Homeland Security Advisor Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime. Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.{{Cite web|url=https://www.independent.co.uk/news/hacked-networks-will-need-to-be-burned-down-to-the-ground-hackers-fireeye-us-networks-networks-b1776430.html |archive-url=https://web.archive.org/web/20201219062717/https://www.independent.co.uk/news/hacked-networks-will-need-to-be-burned-down-to-the-ground-hackers-fireeye-us-networks-networks-b1776430.html |archive-date=2020-12-19 |url-access=limited |url-status=live|title=Hacked networks will need to be burned 'down to the ground'|date=December 18, 2020|website=The Independent |agency=Associated Press}}{{Cite news|url=https://www.reuters.com/article/us-global-cyber-usa-solarwinds/experts-who-wrestled-with-solarwinds-hackers-say-cleanup-could-take-months-or-longer-idUSKBN28Y1K3|title=Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer|first=Raphael|last=Satter|newspaper=Reuters|date=December 24, 2020|access-date=March 25, 2023|archive-date=July 15, 2021|archive-url=https://web.archive.org/web/20210715164546/https://www.reuters.com/article/us-global-cyber-usa-solarwinds/experts-who-wrestled-with-solarwinds-hackers-say-cleanup-could-take-months-or-longer-idUSKBN28Y1K3|url-status=live}}

The Justice Department disclosed in July 2021 that 27 of its federal prosecutors' offices around the country had been affected, including 80% of Microsoft email accounts breached in four New York offices. Two of the offices, in Manhattan and Brooklyn, handle many prominent investigations of white-collar crime, as well as of people close to former president Trump.{{Cite web|url=https://apnews.com/article/technology-europe-russia-election-2020-5486323e455277b39cd3283d70a7fd64|title=Justice Department says Russians hacked federal prosecutors|date=July 31, 2021|website=AP NEWS|first1=Alan|last1=Suderman|first2=Eric|last2=Tucker|access-date=July 31, 2021|archive-date=July 31, 2021|archive-url=https://web.archive.org/web/20210731042032/https://apnews.com/article/technology-europe-russia-election-2020-5486323e455277b39cd3283d70a7fd64|url-status=live}}{{Cite news|url=https://www.nytimes.com/2021/05/27/nyregion/trump-ukraine-rudy-giuliani-2020-presidential-election.html|title=Prosecutors Investigating Whether Ukrainians Meddled in 2020 Election|first1=William K.|last1=Rashbaum|first2=Ben|last2=Protess|first3=Kenneth P.|last3=Vogel|first4=Nicole|last4=Hong|newspaper=The New York Times|date=May 27, 2021|access-date=July 31, 2021|archive-date=June 12, 2021|archive-url=https://web.archive.org/web/20210612033341/https://www.nytimes.com/2021/05/27/nyregion/trump-ukraine-rudy-giuliani-2020-presidential-election.html|url-status=live}}

{{excessive citations|section|date=July 2021}}

{{Anchor|federal}}

On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye.{{cite web|url=https://github.com/fireeye/red_team_tool_countermeasures|title=fireeye/red_team_tool_countermeasures|website=GitHub|access-date=December 17, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216112625/https://github.com/fireeye/red_team_tool_countermeasures|url-status=live}}

On December 15, 2020, Microsoft announced that SUNBURST, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.{{cite web|url=https://www.bleepingcomputer.com/news/security/microsoft-to-quarantine-compromised-solarwinds-binaries-tomorrow/|title=Microsoft to quarantine compromised SolarWinds binaries tomorrow |first=Lawrence |last=Abrams |date=15 December 2020 |website=BleepingComputer|access-date=December 17, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216154827/https://www.bleepingcomputer.com/news/security/microsoft-to-quarantine-compromised-solarwinds-binaries-tomorrow/|url-status=live}}

GoDaddy handed ownership to Microsoft of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the SUNBURST malware, and to discover which SolarWinds customers were infected.

On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks. On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to SolarWinds software.{{Cite web|url=https://www.cyberscoop.com/nerc-alert-solarwinds-grid-russia/|title=Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are|date=December 23, 2020|website=CyberScoop|first=Sean|last=Lyngaas|access-date=December 24, 2020|archive-date=February 16, 2021|archive-url=https://web.archive.org/web/20210216074254/https://www.cyberscoop.com/nerc-alert-solarwinds-grid-russia/|url-status=live}}

SolarWinds unpublished its featured customer list after the hack,{{cite web|url=https://www.theverge.com/2020/12/15/22176053/solarwinds-hack-client-list-russia-orion-it-compromised|title=SolarWinds hides list of high-profile customers after devastating hack|first=Russell|last=Brandom|date=December 15, 2020|website=The Verge|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216093459/https://www.theverge.com/2020/12/15/22176053/solarwinds-hack-client-list-russia-orion-it-compromised|url-status=live}} although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server.{{Cite web|url=https://www.itwire.com/security/backdoored-orion-binary-still-available-on-solarwinds-website.html|title=iTWire - Backdoored Orion binary still available on SolarWinds website|first=Sam|last=Varghese|website=iTWire|date=15 December 2020|access-date=December 25, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214234008/https://www.itwire.com/security/backdoored-orion-binary-still-available-on-solarwinds-website.html|url-status=live}}

Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price.{{cite web | title=Class Action Lawsuit Filed Against SolarWinds Over Hack | website=SecurityWeek.Com | date=2021-01-06 | url=https://www.securityweek.com/class-action-lawsuit-filed-against-solarwinds-over-hack | access-date=2021-01-13 | first=Eduard | last=Kovacs | archive-date=February 1, 2021 | archive-url=https://web.archive.org/web/20210201200038/https://www.securityweek.com/class-action-lawsuit-filed-against-solarwinds-over-hack | url-status=live }}{{cite web | last=McCarthy | first=Kieren | title=Ah, right on time: Hacker-slammed SolarWinds sued by angry shareholders | website=The Register | date=2021-01-05 | url=https://www.theregister.com/2021/01/05/solarwinds_sued/ | access-date=2021-01-13 | archive-date=March 17, 2021 | archive-url=https://web.archive.org/web/20210317193928/https://www.theregister.com/2021/01/05/solarwinds_sued/ | url-status=live }} Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs.{{cite web | title=SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos | website=SecurityWeek.Com | date=2021-01-08 | url=https://www.securityweek.com/solarwinds-taps-firm-launched-cisa-chief-chris-krebs-former-facebook-cso-alex-stamos | access-date=2021-01-13 | first=Eduard | last=Kovacs | archive-date=February 19, 2021 | archive-url=https://web.archive.org/web/20210219211949/https://www.securityweek.com/solarwinds-taps-firm-launched-cisa-chief-chris-krebs-former-facebook-cso-alex-stamos | url-status=live }}

The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.{{cite web | last=Vaughan-Nichols | first=Steven J. | title=SolarWinds defense: How to stop similar attacks | website=ZDNet | date=2021-01-14 | url=https://www.zdnet.com/article/solarwinds-defense-how-to-stop-similar-attacks/ | access-date=2021-01-15 | archive-date=March 10, 2021 | archive-url=https://web.archive.org/web/20210310005429/https://www.zdnet.com/article/solarwinds-defense-how-to-stop-similar-attacks/ | url-status=live }}

On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.

On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations. On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks. The Russian government said that it was not involved in the attacks.{{cite web|url=https://www.cbsnews.com/news/solarwinds-orion-hack-government-agencies-treasury-fireeye/|title=Potentially major hack of government agencies disclosed|work=CBS News|access-date=December 16, 2020|archive-date=December 15, 2020|archive-url=https://web.archive.org/web/20201215232830/https://www.cbsnews.com/news/solarwinds-orion-hack-government-agencies-treasury-fireeye/|url-status=live |date=14 December 2020}}

On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the FBI to investigate.{{cite web|url=https://abc11.com/treasury-hack-cyber-attack-on-russia-today/8753611/|title=US government agencies, including Treasury, hacked; Russia possible culprit|publisher=WTVD|date=December 14, 2020|access-date=December 15, 2020|archive-date=December 14, 2020|archive-url=https://web.archive.org/web/20201214025001/https://abc11.com/treasury-hack-cyber-attack-on-russia-today/8753611/|url-status=dead |first1=Eric |last1=Tucker |first2=Tom |last2=Krisher |first3=Frank |last3=Bajak |agency=Associated Press}} The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group.{{cite web|url=https://www.politico.com/news/2020/12/14/massively-disruptive-cyber-crisis-engulfs-multiple-agencies-445376|title='Massively disruptive' cyber crisis engulfs multiple agencies|first=Eric|last=Geller|website=Politico|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216092339/https://www.politico.com/news/2020/12/14/massively-disruptive-cyber-crisis-engulfs-multiple-agencies-445376|url-status=live |date=14 December 2020}}{{cite web|url=https://slate.com/news-and-politics/2020/12/solarwinds-trump-hack-fireeye.html|title=Trump Has Been Whining About Fake Fraud—and Ignoring a Real Cybersecurity Crisis|first=Fred|last=Kaplan|date=December 15, 2020|website=Slate|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216060553/https://slate.com/news-and-politics/2020/12/solarwinds-trump-hack-fireeye.html|url-status=live}} The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations.{{cite web|url=https://www.newsweek.com/us-swift-action-defense-networks-alleged-russia-hack-1554693|title=US vows 'swift action' if defense networks hit by alleged Russia hack|date=December 14, 2020|website=Newsweek|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216053800/https://www.newsweek.com/us-swift-action-defense-networks-alleged-russia-hack-1554693|url-status=live |first1=Tom |last1=O'Connor |first2=Naveed |last2=Jamali}}

The DOE helped to compensate for a staffing shortfall at CISA by allocating resources to help the Federal Energy Regulatory Commission (FERC) recover from the cyberattack. The FBI, CISA, and the Office of the Director of National Intelligence (ODNI) formed a Cyber Unified Coordination Group (UCG) to coordinate their efforts.{{cite web|url=https://www.securityweek.com/fbi-cisa-odni-describe-response-solarwinds-attack|title=FBI, CISA, ODNI Describe Response to SolarWinds Attack|website=SecurityWeek.com|access-date=December 18, 2020|archive-date=December 18, 2020|archive-url=https://web.archive.org/web/20201218062236/https://www.securityweek.com/fbi-cisa-odni-describe-response-solarwinds-attack|url-status=live |first=Eduard |last=Kovacs |date=17 December 2020}}

On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.{{Cite news|url=https://uk.reuters.com/article/us-global-cyber-usa-idUKKBN28Y09L|title=U.S. cyber agency says SolarWinds hackers are 'impacting' state, local governments|first=Raphael|last=Satter|newspaper=Reuters|date=December 24, 2020|via=uk.reuters.com|access-date=December 25, 2020|archive-date=January 1, 2021|archive-url=https://web.archive.org/web/20210101220846/https://uk.reuters.com/article/us-global-cyber-usa-idUKKBN28Y09L|url-status=dead}}

The Cyber Safety Review Board did not investigate the underlying weakness.{{Cite web |last=Silverman |first=Craig |date=2024-07-08 |title=The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did. |url=https://www.propublica.org/article/cyber-safety-board-never-investigated-solarwinds-breach-microsoft |access-date=2024-07-09 |website=ProPublica |language=en}}

The Senate Armed Services Committee's cybersecurity subcommittee was briefed by Defense Department officials. The House Committee on Homeland Security and House Committee on Oversight and Reform announced an investigation. Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain.{{cite web |first=Alex |last=Daugherty |url=https://www.miamiherald.com/news/politics-government/article247946080.html |title=Intel chairman Rubio says 'America must retaliate' after massive cyber hack |work=Miami Herald |date=December 18, 2020 |access-date=December 19, 2020 |archive-date=December 27, 2020 |archive-url=https://web.archive.org/web/20201227071318/https://www.miamiherald.com/news/politics-government/article247946080.html |url-status=live }} The committee's vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the hack.{{cite web |url=https://www.npr.org/2020/12/19/948318197/pompeo-russia-pretty-clearly-behind-massive-solarwinds-cyberattack |title=Pompeo Says Russia 'Pretty Clearly' Behind Cyberattack, Prompting Pushback From Trump |work=NPR |date=December 19, 2020 |access-date=December 20, 2020 |last1=Dwyer |first1=Colin |archive-date=June 3, 2021 |archive-url=https://web.archive.org/web/20210603171240/https://www.npr.org/2020/12/19/948318197/pompeo-russia-pretty-clearly-behind-massive-solarwinds-cyberattack |url-status=live }}

Senator Ron Wyden called for mandatory security reviews of software used by federal agencies.

On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin told reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials. Senator Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen".

On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator Richard Blumenthal asked the same of the Veterans Administration.{{Cite web|url=https://www.cyberscoop.com/menendez-blumenthal-state-va-solarwinds/|title=Lawmakers want more transparency on SolarWinds breach from State, VA|date=December 23, 2020|website=CyberScoop|first=Shannon|last=Vavra|access-date=December 24, 2020|archive-date=January 26, 2021|archive-url=https://web.archive.org/web/20210126214731/https://www.cyberscoop.com/menendez-blumenthal-state-va-solarwinds/|url-status=live}}{{Cite web |url=https://gizmodo.com/veterans-affairs-officials-inexplicably-blow-off-briefi-1845946394 |title=Veterans Affairs Officials Inexplicably Blow Off Briefing on SolarWinds Hack |website=Gizmodo |date=December 24, 2020 |first=Dell |last=Cameron |access-date=December 25, 2020 |archive-date=January 21, 2021 |archive-url=https://web.archive.org/web/20210121074702/https://gizmodo.com/veterans-affairs-officials-inexplicably-blow-off-briefi-1845946394 |url-status=live }}

The Administrative Office of the United States Courts initiated an audit, with DHS, of the U.S. Judiciary's Case Management/Electronic Case Files (CM/ECF) system.{{cite web | last=Gatlan | first=Sergiu | title=US Judiciary adds safeguards after potential breach in SolarWinds hack | website=BleepingComputer | date=2021-01-07 | url=https://www.bleepingcomputer.com/news/security/us-judiciary-adds-safeguards-after-potential-breach-in-solarwinds-hack/ | access-date=2021-01-13 | archive-date=April 16, 2021 | archive-url=https://web.archive.org/web/20210416195717/https://www.bleepingcomputer.com/news/security/us-judiciary-adds-safeguards-after-potential-breach-in-solarwinds-hack/ | url-status=live }} It stopped accepting highly sensitive court documents to the CM/ECF, requiring those instead to be accepted only in paper form or on airgapped devices.

President Donald Trump made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction".{{cite web|url=http://www.theguardian.com/technology/2020/dec/17/us-government-cyber-attack-hack-russia|title=Hacking campaign targeted US energy, treasury and commerce agencies|date=December 17, 2020|website=The Guardian|access-date=December 18, 2020|archive-date=December 17, 2020|archive-url=https://web.archive.org/web/20201217192805/https://www.theguardian.com/technology/2020/dec/17/us-government-cyber-attack-hack-russia|url-status=live |first=Kari |last=Paul}} On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack. Trump then pivoted to insisting that he had won the 2020 presidential election.{{cite news |last1=Sink |first1=Justin |title=Trump Downplays Huge Hack Tied to Russia, Suggests China |url=https://www.bloomberg.com/news/articles/2020-12-19/trump-downplays-massive-hack-floats-china-as-possible-culprit |access-date=25 March 2023 |work=Bloomberg |date=19 December 2020 |language=en |archive-date=January 5, 2021 |archive-url=https://web.archive.org/web/20210105190720/https://www.bloomberg.com/news/articles/2020-12-19/trump-downplays-massive-hack-floats-china-as-possible-culprit |url-status=live }} He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election. Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible.{{cite web | last=Canales | first=Katie | title=Former US cybersecurity chief Chris Krebs warned not to 'conflate' voting system security with SolarWinds hack despite Trump's claim | website=Business Insider | date=December 19, 2020 | url=https://www.businessinsider.com/krebs-do-not-conflate-voting-security-solarwinds-hack-2020-12 | access-date=December 20, 2020 | archive-date=December 20, 2020 | archive-url=https://web.archive.org/web/20201220232819/https://www.businessinsider.com/krebs-do-not-conflate-voting-security-solarwinds-hack-2020-12 | url-status=live }} Adam Schiff, chair of the House Intelligence Committee, described Trump's statements as dishonest,{{cite web|title=Trump downplays impact of massive hacking, questions Russia involvement|url=https://uk.reuters.com/article/uk-u-s-cyber-breach/trump-downplays-impact-of-massive-hacking-questions-russia-involvement-idUKKBN28T0QI|date=2020-12-19|publisher=Reuters|first1=Christopher|last1=Bing|first2=Jonathan|last2=Landay|access-date=December 19, 2020|archive-date=January 4, 2021|archive-url=https://web.archive.org/web/20210104235816/https://uk.reuters.com/article/uk-u-s-cyber-breach/trump-downplays-impact-of-massive-hacking-questions-russia-involvement-idUKKBN28T0QI|url-status=dead}} calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin."

Former Homeland Security Advisor Thomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the National Defense Authorization Act would be required to mitigate the damage caused by the attacks.{{cite news |last1=Murdock |first1=Jason |title=Russia Could Fake Government Emails After SolarWinds Hack: Ex-Trump Adviser |url=https://www.newsweek.com/solarwinds-hack-cyberattack-russia-fake-emails-thomas-bossert-joe-biden-1555472 |access-date=25 March 2023 |work=Newsweek |date=17 December 2020 |language=en |archive-date=August 8, 2022 |archive-url=https://web.archive.org/web/20220808205540/https://www.newsweek.com/solarwinds-hack-cyberattack-russia-fake-emails-thomas-bossert-joe-biden-1555472 |url-status=live }}

Then president-elect Joe Biden said he would identify and penalize the attackers. Biden's incoming chief of staff, Ron Klain, said the Biden administration's response to the hack would extend beyond sanctions.{{Cite news|last=Satter|first=Raphael|date=2020-12-20|title=Biden chief of staff says hack response will go beyond 'just sanctions'|language=en|work=Reuters|url=https://www.reuters.com/article/usa-cyber-breach-idUSKBN28U0IK|access-date=2020-12-20|archive-date=April 7, 2021|archive-url=https://web.archive.org/web/20210407155219/https://www.reuters.com/article/usa-cyber-breach-idUSKBN28U0IK|url-status=live}} On December 22, 2020, Biden reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials.{{Cite web|url=https://www.bloomberg.com/news/articles/2020-12-22/biden-says-hack-of-u-s-shows-trump-failed-at-cyber-security|title=Biden Says Hack of U.S. Shows Trump Failed at Cybersecurity|date=December 22, 2020|first1=Jordan|last1=Fabian|first2=Jennifer|last2=Epstein|website=Bloomberg|access-date=December 23, 2020|archive-date=April 7, 2022|archive-url=https://web.archive.org/web/20220407095729/https://www.bloomberg.com/news/articles/2020-12-22/biden-says-hack-of-u-s-shows-trump-failed-at-cyber-security|url-status=live}}{{Cite web|url=https://www.reuters.com/article/us-usa-biden-idUKKBN28W1ZF|title=Trump must blame Russia for cyber attack on U.S., Biden says|first=Simon|last=Lewis|date=December 23, 2020|work=Reuters|access-date=December 23, 2020|archive-date=January 21, 2021|archive-url=https://web.archive.org/web/20210121032127/https://www.reuters.com/article/us-usa-biden-idUKKBN28W1ZF|url-status=live}}

In January 2021, Biden named appointees for two relevant White House positions: Elizabeth Sherwood-Randall as homeland security adviser, and Anne Neuberger as deputy national security adviser for cyber and emerging technology.{{cite web | title=Biden to Restore Homeland Security and Cybersecurity Aides to Senior White House Posts | website=The New York Times | date=2021-01-13 | url=https://www.nytimes.com/2021/01/13/us/politics/biden-homeland-security-cybersecurity.html | first=David E. | last=Sanger | access-date=2021-01-13 | quote=President-elect Joseph R. Biden Jr., facing the rise of domestic terrorism and a crippling cyberattack from Russia, is elevating two White House posts that all but disappeared in the Trump administration: a homeland security adviser to manage matters as varied as extremism, pandemics and natural disasters, and the first deputy national security adviser for cyber and emerging technology. ... Mr. Trump dismantled the National Security Council's pandemic preparedness office, and while he had an active cyberteam at the beginning of his term, it languished. 'It's disturbing to be in a transition moment when there really aren't counterparts for that transition to be handed off,' Ms. Sherwood-Randall said. ... The SolarWinds hacking, named after the maker of network management software that Russian intelligence agents are suspected of having breached to gain access to the email systems of government agencies and private companies, was a huge intelligence failure. | archive-date=March 29, 2021 | archive-url=https://web.archive.org/web/20210329061041/https://www.nytimes.com/2021/01/13/us/politics/biden-homeland-security-cybersecurity.html | url-status=live }}

In March 2021, the Biden administration expressed growing concerns over the hack, and White House Press Secretary Jen Psaki called it “an active threat”.{{cite news|url=https://www.bbc.com/news/world-us-canada-56304379|title=Microsoft hack: White House warns of 'active threat' of email attack|work=BBC News|date=March 6, 2021|access-date=6 March 2021|archive-date=March 7, 2021|archive-url=https://web.archive.org/web/20210307083639/https://www.bbc.com/news/world-us-canada-56304379|url-status=live}} Meanwhile The New York Times reported that the US government was planning economic sanctions as well as "a series of clandestine actions across Russian networks" in retaliation.{{cite news |last1=Sanger |first1=David E. |last2=Barnes |first2=Julian E. |last3=Perlroth |first3=Nicole |title=Preparing for Retaliation Against Russia, U.S. Confronts Hacking by China |url=https://www.nytimes.com/2021/03/07/us/politics/microsoft-solarwinds-hack-russia-china.html |access-date=15 March 2021 |work=The New York Times |date=7 March 2021 |archive-date=March 11, 2021 |archive-url=https://web.archive.org/web/20210311000525/https://www.nytimes.com/2021/03/07/us/politics/microsoft-solarwinds-hack-russia-china.html |url-status=live }}

On April 15, 2021, the United States expelled 10 Russian diplomats and issued sanctions against 6 Russian companies that support its cyber operations, as well as 32 individuals and entities for their role in the hack and in Russian interference in the 2020 United States elections.{{Cite web|date=2021-04-15|title=US retaliates against Russian hacking by expelling diplomats, imposing new sanctions|url=https://www.fox10phoenix.com/news/us-retaliates-against-russian-hacking-by-expelling-diplomats-imposing-new-sanctions|access-date=2021-04-15|agency=Associated Press|language=en-US|website=FOX 10 Phoenix|first1=Eric|last1=Tucker|first2=Aamer|last2=Madhani|archive-date=December 18, 2022|archive-url=https://web.archive.org/web/20221218123846/https://www.fox10phoenix.com/news/us-retaliates-against-russian-hacking-by-expelling-diplomats-imposing-new-sanctions|url-status=live}}{{Cite web|date=2021-04-15|title=Biden expels Russian diplomats and announces new sanctions in retaliation for hacking|url=https://www.independent.co.uk/news/world/americas/us-politics/biden-russia-sanctions-putin-hacking-b1831934.html |archive-url=https://web.archive.org/web/20210415123039/https://www.independent.co.uk/news/world/americas/us-politics/biden-russia-sanctions-putin-hacking-b1831934.html |archive-date=2021-04-15 |url-access=limited |url-status=live|access-date=2021-04-15|website=The Independent|language=en |first1=Akshita |last1=Jain |first2=Gino |last2=Spocchia}}{{cite news |title=US expels Russian diplomats, issues sanctions |url=https://www.dw.com/en/us-expels-russian-diplomats-and-issues-sanctions-over-solarwinds-hacking-attack/a-57215141 |access-date=25 March 2023 |work=DW |date=15 April 2021 |language=en |archive-date=January 7, 2023 |archive-url=https://web.archive.org/web/20230107141210/https://www.dw.com/en/us-expels-russian-diplomats-and-issues-sanctions-over-solarwinds-hacking-attack/a-57215141 |url-status=live }}

NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks." On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK.{{cite web |first=Gordon |last=Corera |url=https://www.bbc.com/news/technology-55368213 |title=SolarWinds: UK assessing impact of hacking campaign |work=BBC News |date=December 18, 2020 |access-date=December 18, 2020 |archive-date=March 11, 2021 |archive-url=https://web.archive.org/web/20210311010528/https://www.bbc.com/news/technology-55368213 |url-status=live }} The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers.{{cite news|url=https://time.com/5921684/us-computer-networks-hack-russia/|date=2020-12-15|title=U.S. Agencies and Companies Secure Networks After Huge Hack|magazine=Time|access-date=December 16, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216052021/https://time.com/5921684/us-computer-networks-hack-russia/|url-status=dead |agency=Associated Press |first1=Ben |last1=Fox |first2=Frank |last2=Bajak}}

On December 23, 2020, the UK Information Commissioner's Office – a national privacy authority – told UK organizations to check immediately whether they were impacted.{{Cite web|url=https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/uk-organisations-using-solarwinds-orion-platform-should-check-whether-personal-data-has-been-affected/|title=UK organisations using SolarWinds Orion platform should check whether personal data has been affected|date=December 23, 2020|website=ico.org.uk|access-date=December 23, 2020|archive-date=January 27, 2021|archive-url=https://web.archive.org/web/20210127170003/https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/uk-organisations-using-solarwinds-orion-platform-should-check-whether-personal-data-has-been-affected/|url-status=dead}}

On December 24, 2020, the Canadian Centre for Cyber Security asked SolarWinds Orion users in Canada to check for system compromises.{{cite news | title=CSE warns companies to check IT systems following SolarWinds hack | website=CBC | date=2020-12-19 | url=https://www.cbc.ca/news/politics/cse-solarwinds-warning-1.5854614 | access-date=2020-12-25 | first=Christian | last=Paas-Lang | archive-date=March 30, 2021 | archive-url=https://web.archive.org/web/20210330011005/https://www.cbc.ca/news/politics/cse-solarwinds-warning-1.5854614 | url-status=live }}{{Cite web|url=https://cyber.gc.ca/en/|title=Canadian Centre for Cyber Security|date=August 15, 2018|website=Canadian Centre for Cyber Security|access-date=December 25, 2020|archive-date=May 24, 2021|archive-url=https://web.archive.org/web/20210524214325/https://cyber.gc.ca/en/|url-status=live}}

The attack prompted a debate on whether the hack should be treated as cyber espionage, or as a cyberattack constituting an act of war.{{cite web |first1=Jan |last1=Wolfe |first2=Brendan |last2=Pierson |url=https://uk.reuters.com/article/global-cyber-legal/explainer-us-government-hack-espionage-or-act-of-war-idUKL1N2IY3EH |title=Explainer-U.S. government hack: espionage or act of war? |work=Reuters |date=2020-12-19 |access-date=2020-12-19 |archive-date=March 25, 2023 |archive-url=https://web.archive.org/web/20230325023837/https://www.reuters.com/?edition-redirect=uk |url-status=dead }} Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid).{{cite web|date=2020-12-18|access-date=2020-12-19|work=NBC News|title=Suspected Russian hack: Was it an epic cyber attack or spy operation?|url=https://www.nbcnews.com/news/us-news/suspected-russian-hack-was-it-epic-cyber-attack-or-spy-n1251766|first=Ken|last=Dilanian|archive-date=March 11, 2021|archive-url=https://web.archive.org/web/20210311005453/https://www.nbcnews.com/news/us-news/suspected-russian-hack-was-it-epic-cyber-attack-or-spy-n1251766|url-status=live}} Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the Hoover Institution and Naval War College argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force.{{cite magazine |author=Erica Borghard |author2=Jacquelyn Schneider |url=https://www.wired.com/story/russia-solarwinds-hack-wasnt-cyberwar-us-strategy/ |title=Russia's Hack Wasn't Cyberwar. That Complicates US Strategy |magazine=Wired |access-date=December 17, 2020|archive-date=December 18, 2020|archive-url=https://web.archive.org/web/20201218062246/https://www.wired.com/story/russia-solarwinds-hack-wasnt-cyberwar-us-strategy/|url-status=live |date=17 December 2020}} Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks."{{cite web|url=https://thedispatch.com/p/self-delusion-on-the-russia-hack|title=Self-Delusion on the Russia Hack|first=Jack|last=Goldsmith|website=thedispatch.com|date=December 18, 2020|access-date=December 18, 2020|archive-date=May 16, 2021|archive-url=https://web.archive.org/web/20210516174301/https://thedispatch.com/p/self-delusion-on-the-russia-hack|url-status=live}} Law professor Michael Schmitt concurred, citing the Tallinn Manual.{{Cite web|url=https://www.justsecurity.org/73946/russias-solarwinds-operation-and-international-law/|title=Russia's SolarWinds Operation and International Law|date=December 21, 2020|website=Just Security|first=Michael|last=Schmitt|access-date=December 23, 2020|archive-date=May 29, 2021|archive-url=https://web.archive.org/web/20210529171905/https://www.justsecurity.org/73946/russias-solarwinds-operation-and-international-law/|url-status=live}}

By contrast, Microsoft president Brad Smith termed the hack a cyberattack, stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure."{{cite web | title=Microsoft president calls SolarWinds hack an 'act of recklessness' | website=Ars Technica | date=December 18, 2020 | url=https://arstechnica.com/information-technology/2020/12/only-an-elite-few-solarwinds-hack-victims-received-follow-on-attacks/ | access-date=December 18, 2020 | first=Dan | last=Goodin | archive-date=May 7, 2021 | archive-url=https://web.archive.org/web/20210507202218/https://arstechnica.com/information-technology/2020/12/only-an-elite-few-solarwinds-hack-victims-received-follow-on-attacks/ | url-status=live }}{{cite web | title=US cyber-attack: US energy department confirms it was hit by Sunburst hack | website=BBC News | date=December 18, 2020 | url=https://www.bbc.com/news/world-us-canada-55358332 | access-date=December 18, 2020 | archive-date=June 6, 2021 | archive-url=https://web.archive.org/web/20210606191413/https://www.bbc.com/news/world-us-canada-55358332 | url-status=live }} U.S. Senator Richard J. Durbin (D-IL) described the attack as tantamount to a declaration of war.

Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect". They also stated that because deterrence may not effectively discourage cyber-espionage attempts by threat actors, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities).

Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks."

Cybersecurity author Bruce Schneier advocated against retaliation or increases in offensive capabilities, proposing instead the adoption of a defense-dominant strategy and ratification of the Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace.{{Cite news|url=https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols|title=The US has suffered a massive cyberbreach. It's hard to overstate how bad it is|first=Bruce|last=Schneier|date=December 23, 2020|website=The Guardian|access-date=December 23, 2020|archive-date=May 7, 2021|archive-url=https://web.archive.org/web/20210507091101/https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols|url-status=live}}

In the New York Times, Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements. He also noted that the US is engaged in similar operations against other countries in what he described as an ambient cyber-conflict.{{Cite news|url=https://www.nytimes.com/2020/12/23/opinion/russia-united-states-hack.html|title=With Hacking, the United States Needs to Stop Playing the Victim|first=Paul R.|last=Kolbe|newspaper=The New York Times|date=December 24, 2020|url-access=subscription|id={{ProQuest|2473435248}}|access-date=December 24, 2020|archive-date=May 19, 2021|archive-url=https://web.archive.org/web/20210519021103/https://www.nytimes.com/2020/12/23/opinion/russia-united-states-hack.html|url-status=live}}

• Cyberwarfare in the United States
• Cyberwarfare by Russia
• EternalBlue
• Global surveillance disclosures (2013–present)
• List of data breaches
• Moonlight Maze
• Office of Personnel Management data breach
• Security dilemma
• The Shadow Brokers
• 2008 cyberattack on United States
• 2021 Microsoft Exchange Server data breach
• Vulkan files leak

{{reflist|colwidth=30em}}

• [https://www.solarwinds.com/sa-overview/securityadvisory SolarWinds Security Advisory]
• [https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html FireEye Research Report]
• [https://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack GuidePoint Security Analysis]
• [https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF Russian SVR Targets U.S. and Allied Networks] (pdf file)
• [https://text.npr.org/985439655 A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack] by Dina Temple-Raston, Friday, April 16, 2021 ([https://text.npr.org/ NPR text only version])

{{Hacking in the 2020s}}

Category:2020 in the United States

Category:Cyberattacks

Category:Data breaches in the United States

Category:2020 in computing

Category:Hacking in the 2020s