When we think of cyberattacks, we usually imagine a group of experts locked in a room full of screens, endlessly analyzing lines of code. But the truth is that sometimes even the biggest attacks go completely unnoticed. That's what happened in December 2020, when it came to light that SolarWinds (a company that provides software to thousands of organizations, including governments and large companies) had been the victim of a silent but terrible attack.
Hackers had managed to sneak into SolarWinds' Orion software and slipped malicious code inside a legitimate update. That update was installed without a problem on thousands of systems around the world, and no one suspected a thing... until it was too late. The most worrying thing was not only the compromised information, but also what the attack exposed: that we often blindly trust technology providers without thinking about the risks that this can bring.
This incident completely changed the way we look at digital security. It made it clear to us that taking care of our own networks is not enough; we also have to look at how secure the tools we use are. And, most importantly, it made it clear that we need to be much better prepared: detect threats early, react quickly when something goes wrong and, above all, collaborate between companies, governments and experts if we really want to deal with risks that, although not always seen, can have huge consequences.
SolarWinds is an Austin, Texas-based company dedicated to providing software to manage the technology infrastructure of huge organizations (from private companies to government agencies). It's not exactly small: it has more than 320,000 customers in some 190 countries, including 499 of the Fortune 500 largest companies in the world.
Everything seemed to be in order... until, in December 2020, the cybersecurity company FireEye sounded the alarm. They had detected something very serious: a covert operation in which hackers managed to infiltrate one of SolarWinds' most used platforms, Orion, a key tool for managing networks. What they did was to sneak in a software update and insert malicious code, which was then unsuspectingly installed by thousands of customers who were simply updating their system as usual.
And this is where it all gets complicated. Once inside, the attackers could move freely around the systems, spy on emails, access confidential files and act with complete discretion. The most disturbing thing is that they did it with such care that no one noticed for months. They were extremely meticulous about erasing their tracks and remaining invisible.
It is believed that it all started in September 2019, when the attackers first managed to sneak in. The malware was inserted in February 2020 and started to be distributed in March and April, when users were downloading the update without knowing what was inside. By May, the hackers were inside, scanning networks, reading documents and going completely unnoticed. And the worst part: they stayed there for at least eight months.
Solarwinds operation timeline
The attack, which became known as Sunburst, was a move that was as ingenious as it was alarming. They did it so well that no one suspected a thing. This type of tactic is called a supply chain attack, and it's especially dangerous because it sneaks in right where you least expect it: through a vendor you trust and would never doubt.
When customers unknowingly updated their system, they were also installing the malware. From that point on, the virus was activated and began to do its work silently. The SUNBURST malware was not just anything. It was very carefully designed and had several powerful functions:
Steal information: it could collect sensitive data from the infected system.
Stealth: it mimicked normal network traffic so as not to raise suspicions or alerts from security systems.
Backdoor: it gave attackers remote access to affected systems and allowed them to move within the network as if they were legitimate users.
But that was not the end of it. Once inside, the attackers didn't sit still. They used advanced tools to gain more privileges, obtain credentials from other users, install more backdoors and access increasingly sensitive data. The level of access they achieved was truly profound.
Among those affected were very important government agencies, large technology companies and private firms. The alarming thing is that, for months, no one noticed anything. They were there, inside critical systems, viewing emails, moving between networks... without leaving obvious traces.
This type of attack is not only a sign of what hackers can do when they are patient and sophisticated, but also of how exposed we are when we blindly trust any software we install.
Read more: The Pace of Cyberattacks: 1 Every 14 Seconds, a New Record
The scope of this attack was brutal. It is estimated that more than 18,000 organizations downloaded the infected update without having any idea what was included. Now, not all of them were directly attacked, but they were exposed. Among the most well-known names affected were the U.S. Department of Homeland Security, Microsoft, FireEye and several government agencies in different countries.
The blow was severe, both for SolarWinds and for the companies and governments that relied on its software. Even some organizations in Spain could have been part of the list.
All this made it very clear something that can no longer be ignored: we need systems that can detect these types of threats quickly and react immediately. And not only that. It is also urgent to strengthen security throughout the software supply chain. It is not enough to protect only what you have inside your home... you also need to make sure that what comes from outside is clean and well controlled.
The SolarWinds case left us with more than one important security lesson. Not only did it show how vulnerable even large organizations can be, but it also brought to light many things that can (and should) be done better.
One of the biggest mistakes was blindly trusting a supplier. What became clear is that companies need to take a good look at their technology partners. This means auditing those who give you software, knowing how they work, reviewing the code they use and making sure there is nothing weird hidden in there. Because if they fail, the problem is also yours.
Waiting for something to go wrong is not an option. It is essential to have tools that constantly monitor what is going on in your network. If something behaves strangely, you need to know immediately. Monitoring, anomaly detection, alerts... all this can make the difference between a scare and a disaster.
In that sense, having a SOC (Security Operations Center) like TecnetOne's can be a great ally. Its specialized team works 24/7 analyzing network behavior, detecting any suspicious activity and reacting in real time to potential threats. Our SOC offers multiple layers of protection:
Intrusion detection (HIDS): analyzes log files, monitors system integrity and detects suspicious changes in real time.
Behavioral analysis: looks for anomalous patterns in the network or on endpoints that could indicate malicious activity.
Vulnerability management: cross-checks system information with public databases to detect possible security flaws that have not yet been corrected.
Regulatory compliance monitoring: automatically verifies whether systems comply with standards such as PCI-DSS, GDPR, HIPAA, among others.
Automated reaction: automatic responses to certain events can be configured, such as blocking a malicious IP or isolating a compromised endpoint.
TecnetOne's SOC, inspired by these capabilities, provides continuous monitoring, intelligent alerts and rapid incident response. And the best part: it's designed to scale with your infrastructure, whether you have 10 or 10,000 connected devices. These are just some of its features, but in essence, the goal is clear: anticipate threats, react in time and keep your systems protected without you having to lose sleep over it.
The idea of “zero trust” is no longer just a fad. You have to treat every access as if it were potentially dangerous, and verify everything. Yes, even within your own network. This greatly reduces the risk of someone moving freely once they get in.
Having a good incident response plan can save you a lot of headaches. Attacked? You know what to do, who to call, what systems to isolate and how to recover. Not having this prepared is like riding a bicycle without brakes.
One of the big lessons is that no one can face these threats alone. Governments and companies have to talk to each other, share information about what they see, what they learn and how they react. That way we can all improve and be better prepared for what is coming.
It's not all about technology. People also play a key role. Training teams, teaching best practices and keeping everyone on their toes makes a big difference. One wrong click can open the door to the world's most sophisticated attacker.
The SolarWinds attack was a major blow, but also a major wake-up call. Today we know that protecting ourselves is not just about antivirus and firewalls. It is about reviewing the entire ecosystem, from the software we use to how our equipment responds to a threat. The key is to combine technology, processes and people. Only in this way can we be truly prepared for the security challenges that are already here (and those to come).