SolarWinds – Build System Compromise → SUNBURST Backdoor → On-Prem to Cloud Pivot → Golden SAML → US Government Espionage
Russian SVR (APT29 / Cozy Bear) breached SolarWinds' build pipeline and injected the SUNBURST backdoor into signed Orion software updates sent to 18,000+ customers. At high-value government targets, they used SUNBURST to achieve domain admin on-premises, then stole the ADFS token-signing certificate to forge Golden SAML tokens — bypassing MFA entirely to access Azure AD and Microsoft 365 environments for months. This was the first major nation-state supply chain attack that explicitly pivoted from on-premises to cloud identity.
SVR gained access to SolarWinds' internal build system and installed SUNSPOT — a build-time implant that monitored the MSBuild.exe process and injected SUNBURST malicious code into Orion.Core.BusinessLayer.dll during compilation. The resulting DLL was then signed with SolarWinds' legitimate code-signing certificate, making it appear authentic.
Code signing: Trojanized DLL signed with SolarWinds' legitimate certificate (trusted by customers)
Dormancy: SUNBURST waited ~2 weeks post-installation before activating (to evade sandbox detection)
From March 2020, trojanized Orion updates were installed by customers. SUNBURST beaconed to the attacker-controlled domain avsvmcloud[.]com using DNS subdomain queries that encoded victim environment information. SVR then selectively activated only high-value targets for further exploitation — the majority of the 18,000 infected organisations were never actively exploited.
Evasion: Traffic mimicked legitimate SolarWinds telemetry · Dormancy period bypassed sandbox detection
Selective exploitation: 18,000 infected · ~100 actively pursued by SVR
At selected high-value targets, SUNBURST delivered TEARDROP — a memory-resident dropper — which deployed Cobalt Strike BEACON for interactive C2 and lateral movement. SVR used BEACON to escalate to domain admin privileges on the victim's on-premises Active Directory, positioning themselves to attack cloud identity via the ADFS server.
Goal of on-prem access: Reach ADFS server to steal the SAML token-signing certificate
Evasion: All traffic masqueraded as legitimate SolarWinds API activity
With domain admin privileges, SVR extracted the ADFS token-signing private key and certificate from the on-premises federation server. Using this key, they could forge SAML assertions impersonating any user — "Golden SAML." Forged SAML tokens bypass MFA entirely because the SAML assertion IS the proof of authentication — no second factor is requested when a valid SAML response is presented.
1. Extract ADFS private signing key + certificate (requires domain admin)
2. Forge SAML assertion claiming to be any privileged user (Global Admin, etc.)
3. Present to Azure AD / M365 — accepted as fully legitimate
4. MFA bypassed — the forged SAML IS the authentication proof
Persistence: SAML signing certs rarely rotated — access persisted indefinitely without re-exploitation
SVR accessed M365 environments at multiple US government agencies including Treasury, Commerce, DHS, State Department, and DOJ. Critically, they also modified Azure AD to add trusted federated identity providers and OAuth application permissions — cloud-layer backdoors that persisted even after SolarWinds Orion was removed from victim networks.
Cloud persistence mechanisms added:
→ New federated identity providers added to Azure AD
→ OAuth app permissions granted for API-based access
→ Service principal credentials added for ongoing access
Key lesson: Removing Orion did NOT remove cloud access — Azure AD had to be separately evicted
FireEye discovered theft of its proprietary red team offensive tools during an internal investigation and traced the intrusion to a trojanized SolarWinds Orion update. Their public disclosure on December 13, 2020 triggered a global incident response and CISA Emergency Directive 21-01 requiring all federal agencies to immediately disconnect Orion. Crucially, removing Orion did not remove cloud persistence — Azure AD backdoors required a separate, comprehensive eviction process.
Time from build compromise to discovery: ~14 months
CISA ED 21-01: All federal agencies ordered to disconnect SolarWinds Orion immediately
Critical complication: Cloud-layer backdoors (Azure AD federation, OAuth apps) persisted after Orion removal