Prologue — SolarWinds (2020)
Austin, Texas. March 2020.
The Orion build server compiles its software the same way it does every night. Automated. Routine. Trusted.
But somewhere in that process — between source code and signed binary — something extra slips in.
SUNSPOT
A piece of malware called SUNSPOT has been watching the build pipeline for months. It monitors running processes. When it detects the Orion build, it quietly swaps one source file for a backdoored version before compilation continues.
The resulting binary is legitimate, signed, and shipped to customers as a routine update.
MoveFileEx(originalFile, tempBackup, ...)
MoveFileEx(maliciousFile, originalFile, ...)
// build proceeds normally
// MoveFileEx restores original after compile
No alarms. The binary passes every integrity check. Because it is legitimate — the build process signed it itself.
The Beacon
Eighteen thousand organisations install the update.
Within each installation, the backdoor sleeps for fourteen days. Then it reaches out — a DNS query to avsvmcloud.com.
A connection to a server somewhere on the Internet. Owned by the hackers.
Not dramatic. Not a lightning bolt across the sky. A single, quiet line on a network diagram.
That is all it takes.
Attribution
The attackers are eventually identified as APT29 — also known as Cozy Bear — operating on behalf of Russian foreign intelligence, the SVR.
They have been inside some networks for nine months before anyone notices.
How did we get here? To answer that, we have to go back.
Back to 1971. To a university computer lab. To the very first program that ever copied itself across a network.
Back to the beginning.
→ Chapter 1: Creeper & Reaper