SolarWinds Provides Update on Major Hack Amid New CISA Venture
CISA aims to prevent major supply chain security incidents like the SolarWinds breach from happening again.

In a new blog post, SolarWinds said the company first noticed “suspicious activity” on its Orion platform in September 2019 — more than a year before discovering the malicious code now referred to as SUNBURST, which induced the December 2020 cyberattack.
According to SolarWinds, the SUNSPOT malware inserted the SUNBURST backdoor “into software builds of the SolarWinds Orion IT management product.”
In other words, the malware mimicked SolarWinds’ own IT product, slipping in during the development process.
“The design of SUNSPOT suggests [the hackers] invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,” according to the blog post.
SolarWinds said it “identified two previous customer support incidents during the timeline referenced above that, with the benefit of hindsight, we believe may be related to SUNBURST.”
Both incidents prompted investigations, but SolarWinds never found the SUNBURST malicious code until December.
On the heels of the SolarWinds update, CISA launched a new Systemic Cyber Risk Reduction Venture, highlighting the SolarWinds Orion hack as a result of the “concentrated sources of cyber risk” the new venture hopes to address.
“The SolarWinds Orion cyber campaign has highlighted how tools that typically leverage a significant number of highly privileged accounts and access to perform normal business functions can themselves actually become adversarial attack vectors if insufficiently hardened,” wrote Bob Kolasky, CISA’s assistant director for the National Risk Management Center.
In the press release, Kolasky underscored open source code libraries as a significant cyber risk. Daniel Kroese, former associate director for CISA’s National Risk Management Center, specifically called out open source software at GovernmentCIO Media & Research’s Infrastructure: Foundations of the Future event.
“Software represents a potentially concentrated source of risk if you don’t have the vulnerability management and acquisition strategies around it,” he said during a panel on IT supply chain security. “We’re working to deploy a series of tools across government agencies, but also private sector partners in the critical infrastructure community to do this supply chain analysis so that if there are vulnerabilities … we can track it, understand where it is and patch that swiftly.”
Kolasky said the Systemic Cyber Risk Reduction Venture will prioritize “software assurance” because it’s an area with “systemic risk.”
In December 2020, CISA released its Information and Communications Technology Supply Chain Risk Management Task Force Year Two Report, which detailed ways in which federal agencies can take stock of their ICT supply chain risk, like software vulnerabilities.
To prevent major hacks like the SolarWinds breach from happening again, the CISA Systemic Cyber Risk Reduction Venture will develop a cyber risk analysis for critical infrastructure and cyber risk metrics, and identify and promote tools to address “concentrated sources of cyber risk,” like software supply chains.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
NSF Wants Industry Driving Quantum Innovation
The agency is pushing for partnerships to enhance the research community as Congress weighs additional legislation.
3m read -
White House Science Chief: US-Driven AI Sets Global Standards
Michael Kratsios outlined how American AI technology on the global stage will help standardize the tech and counter China’s influence.
5m read -
Modernizing Critical Infrastructure in the Face of Global Threats
Officials are expanding the latest strategies in boosting defense infrastructure, including securing satellite communications, upgrading enterprise-wide technology, optimizing data management.
20m watch -
Trump AI Orders Call for Speed in Building Infrastructure
The directives call for expanding AI infrastructure, streamlining federal permitting and promoting AI exports.
4m read -
DOD Accelerates Software Modernization with Agile DevSecOps Push
The Pentagon's software implementation plan tackles cultural hurdles and integrates security early to deliver critical capabilities faster.
6m read -
White House Unveils AI Action Plan to Secure Global Dominance
The strategy outlines steps to accelerate private sector innovation, build critical infrastructure and advance U.S. leadership in AI policy and security.
3m read -
VA's Platform One Powers Rapid Innovation to Bolster Digital Services
VA's Platform One accelerates software development timelines from weeks to hours, ultimately enhancing digital services for veterans.
5m read -
Federal Leaders Receive Federal IT Efficiency Flywheel Awards from GovCIO Media & Research
Five federal IT leaders received Flywheel Awards for driving innovation and modernizing technology at the Federal IT Efficiency Summit.
5m read -
Doing More with Less is Muscle Memory for IRS, Former Deputy CIO Says
Darnita Trower discusses her experience, the legacy she’s left behind and how she pushed the IRS to modernize itself,
20m watch -
Opinion: Original Intelligence Is the Missing Piece for AI Transformation
Limitations of AI agents and development drive growing needs for workforce development and "original intelligence."
3m read -
VA CIO Targets Modern IT and Smarter Workforce Alignment
Agency leaders told lawmakers they are focused on trimming legacy systems and restructuring its workforce to streamline operations.
3m read -
Pentagon's $200M AI Contracts Signal Broader Effort to Transform Talent
The Army is leveraging Silicon Valley, reservist programs and new hiring strategies to integrate critical digital skills in its ranks.
5m read