The SolarWinds Backdoor Disaster

By William Donaldson on January 2, 2024 • ( Leave a comment )

Introduction

The recent breach of SolarWinds’ Orion software posed a grave national security threat and shook the financial and business sector’s faith in American cyber-defensive capabilities. This paper will focus on the lessons learned thus far from the SolarWinds Orion software breach concerning how it affects U.S. policy regarding the insertion of backdoors into proprietary applications by foreign governments. This paper will cover the academic theories used to study the threat, research methods, the subsequent findings, policy implications, and the practical application of the lessons learned.

Threat

The SolarWinds hack is likely the largest breach in US cybersecurity history and has been classified by US intelligence agencies as a Russian technical threat. The hackers exploited a vulnerability within the Orion software to facilitate Russia’s cyber espionage/clandestine collection of US proprietary and government secrets (Morris and Hackett, 2021). The alleged Russian hackers stole information from Microsoft, Cisco, Intel, Deloitte, and multiple federal agencies, including the US Treasury and the Department of Energy (Morris and Hackett, 2021). The Russian Foreign Intelligence Service (SVR) has a hacking branch referred to as APT29 or “Cozy Bear”, which is likely responsible for the attack, per US intelligence agencies (Muggah, 2021). There is also a possibility that the Czech-based but Russian-founded company, JetBrain, may have been involved, via its TeamCity Product, in spreading the malware (Muggah, 2021). Russia has denied its involvement in the hack and maintains that it does not engage in offensive cyber operations (Muggah, 2021).

The US currently uses a private-public partnership model for its cyber security, which has demonstrated its vulnerability to attacks similar to the one conducted against SolarWinds (Morris and Hackett, 2021). FireEye, the private cybersecurity firm that discovered/publicized the malware, actually had no legal obligation to go public with its findings. (Morris and Hackett, 2021). Because 300,000 people use SolarWinds and 18,000 received the infected Orion update, both the business and financial sectors are “spooked” (Muggah, 2021). The Cybersecurity and Infrastructure Security Agency (CISA) also has informed all levels of federal, state, and local government agencies of the increased risk of similar attacks (Muggah, 2021).

Former President Trump undermined CISA’s and the intelligence community’s credibility with the American public by dismissing their findings, siding with Russia’s President Putin’s denial of his country’s involvement, and suggesting that perhaps China was to blame for the breach (Muggah, 2021). While the former president’s statement was false: US intelligence agencies unanimously attribute the backdoor placed in the Orion software to Russian hackers, the FBI later asserted that China also exploited a different SolarWinds vulnerability in a separate, concurrent incident. On February 2, 2021, Reuters broke the story that the FBI had identified a separate attack on SolarWinds software that used the same tactics, techniques, and procedures as state-affiliated Chinese hackers. The attack resulted in the compromise of federal payroll records within the US Department of Agriculture (Bing et al, 2021). However, there is no evidence that the attacks were related/a collaborative effort.

SolarWinds, itself, does not attribute the smaller, secondary attack to any state-run entity as of yet. The company asserts that the hackers did not access the Department of Agriculture’s network via SolarWinds, but rather by another entry point (Bing, 2021). Once inside the network, the hackers then infiltrated the SolarWinds software (Bing, 2021).

Academic Theories

This historic breach must be studied by the counterintelligence community to identify and thwart future cyber espionage attacks. Cyber counterintelligence, or CCI, is an area of study that “aims at detecting, deterring, preventing, degrading, exploiting and neutralization adversarial attempts to collect, alter or in any other way breach the C-I-A valued information assets through cyber means and proactively degrade such adversaries.” (Duvenage, Jaquie, and von Solms, 2020). These are exactly the actions the United States needs to take to deal with the impact of the SolarWinds hack.

There are three avenues or areas of focus that CCI academics can specialize in protecting infrastructure, identifying insider threats, and researching/developing technical tools. Disciplinary adherents argue as to the importance of each vein of study, with the insider threat being the most popular. However, for the field to succeed and develop, all three areas need attention. Due to the state of the current threat landscape, Duvenage, Jaquire, and von Solms argue that CCI technology should receive the lion’s share of the discipline’s research. After all, developing technologies are what set apart nations with larger CCI budgets from their less-resourced counterparts (Duvenage, Jaquire, and von Solms, 2020).

Unfortunately, cyber counterintelligence is considered a “niche” subfield of counterintelligence academic research, whose adherents primarily work in classified areas of government agencies. Counterintelligence is generally studied in those same nationalistic, classified settings, by small groups of intelligence professionals. While Intelligence Studies has made its way into mainstream academia, Counterintelligence Studies remains tightly cocooned within intelligence agencies. This hampers academic publications, as nationally classified documents cannot be published to the international community as a whole (Duvenage, Jaquire, and von Solms, 2020).

However, as the SolarWinds fiasco demonstrates, the private sector has much to contribute to cybersecurity as both a practical and an academic discipline – it was, after all, a private cybersecurity company that identified the breach, sounded the alarm, and provided the initial assessment of the threat. Further public/private sector academic cooperation should be encouraged (Duvenage, Jaquire, and von Solms, 2020).

Other academics, such as Hank Prunckun, author of Counterintelligence Theory and Practice, lament the lack of unified counterintelligence theory in academic circles. Prunckin did however admire Loch K. Johnson’s efforts. Johnson included counterintelligence within a greater theory of strategic intelligence. Johnson theorized that “(1) the affluence of the entity conducting intelligence work will affect its ability to protect its secrets; and (2) a feedback loop must be incorporated into counterintelligence operations to ensure that if there is a failure, the causes can be addressed.” (Prunckun, 2019). Prunckin notes that Johnson’s theory was not complete/comprehensive. Noticeably, it fails to explain how the US, which has a far greater GDP than Russia, was so thoroughly exploited by the SolarWinds breach.

Methods

Unfortunately, because of the compromise of multiple sensitive federal agency networks, much of the current academic research on the SolarWinds/Orion breach is likely classified and unavailable to the academic community or the public at large (Duvenage, Jaquire, and von Solms, 2020). Most of what the public knows has come from generalized, concisely worded statements by government officials, and the more extensive findings have been published by private cybersecurity firms, like FireEye.

Fireeye, who discovered the threat, published the infrastructure of the backdoor, which it calls SUNBURST, along with countermeasures on its GitHub page: https://github.com/fireeye/sunburst_countermeasures (Fireeye, 2020). Details of the SUNBURST and other vulnerabilities in the Orion software can be accessed at the MITRE Organization’s Common Vulnerabilities and Exposures (CVE) database which is a peer-reviewed forum that allows for the publication of discovered vulnerabilities and patches (CVE, 2020).

One of the key takeaways from the SolarWinds incident was the need for organizations to better vet contracting companies, especially those who manage an organization’s cybersecurity supply chain. Ideally, vendor threat assessments should be conducted during annual supply chain audits. However, again, this may not have prevented the SolarWinds breach, as the company had a trusted reputation amongst federal agencies (Lin, 2020). Threat assessments must include detailed reviews of the CVE database. Identified weaknesses that do not have vendor-issued patches should be highlighted and incorporated into assessment findings/audit reports. If a network administrator can openly view them, a hacker network can also and is possibly working on a way to exploit the known vulnerability.

The breach of Orion was considered an Information and Communication Technology (ICT) supply chain attack. In 2019, CISA, which falls under the Department of Homeland Security (DHS), documented 180 ICT supply chain threats to government networks (Harris, 2020). The Government Accountability Office (GAO) reviewed federal ICT Supply Chain Risk Management (SCRM) procedures and as a result, identified 145 areas within 23 agencies that needed to improve/rise to the National Institute of Standards and Technology (NIST)’s threshold for best practices (Harris, 2020). NIST’s seven principles for secure ICT SCRM practices include executive management of the process, having an agency-wide standard for ICT SCRM processes, standardized procedures for documenting/updating ICT supply chain elements, regular ICT supply chain risk assessments, regular ICT vendor risk assessments that focus on their product development, standardizing vendor requirements, and a robust detection plan for assessing ICT products (Harris, 2020).

The previously cited GAO report noted that the 23 agencies that had ICT SCRM deficiencies attributed them to a lack of federal standards/requirements for the ICT SCRM process (Harris, 2020). The Federal Acquisition Security Council was supposed to deliver some of the requested recommendations circa December 2020 (Harris, 2020).

Any company/agency that has the Orion product should install the patch and conduct a forensic review of the malware’s penetration of their network (PR Newswire, 2020). Network administrators must safely segment their networks to ensure that threats can be better controlled once identified (PR Newswire, 2020). These are industry standard practices/incident responses. However, it is important to note that FireEye, who discovered the malware, maintains that it was their efforts to go above and beyond industry standards that allowed the intrusion to be identified as “soon” as it was (Turton & Kartikay, 2020). Soon is a relative term, and it is important to note that the breach may have initially occurred as early as March 2020 (Lin, 2020).

Another approach might be to limit the complexity/functionality of systems for the sake of security. The more complexity/functionality that is incorporated into the software, the greater the threat surface area is (Lin 2020). Granted, it can be difficult to ask a company to give up functionality for the sake of a threat that has not yet been realized.

Theoretically, CCI needs to engage in greater cooperation with private cyber security firms and move from being a niche, government agency-only exclusive club, to allowing more contributions from the private sector, whose members may be on the cutting edge of newer technologies. This is difficult to balance with the need for security clearances and other safeguards for government secrets, but SolarWinds makes a strong case for the necessity of the effort.

Findings

Orion is a network monitoring product created by SolarWinds which was compromised when allegedly Russian hackers injected malicious code into a software update (PR Newswire, 2020). Again, as previously noted, the breach was discovered by cybersecurity company FireEye, who dubbed the malware “SUNBURST” (FireEye, 2020). As of December 15, 2020, twenty-five organizations were compromised, but SolarWinds estimated that 18,000 Orion users were potentially impacted (Turton and Kartikay 2020). Not only is data confidentiality at stake, but the potential compromise to data integrity is of great concern. For example, the erasure/alteration of a pharmaceutical allergy in a medical record could have deadly consequences (Lin, 2020). It has been reported that the Orion software manages physical environmental controls in facilities, which raises concerns about a bad actor’s ability to stop operations via power cuts (Lin, 2020).

The SolarWinds/Orion breach is currently attributed to Russian hackers; possibly Russia’s APT29/Cozy Bear organization (Turton and Kartikay, 2020). Multiple US federal entities are among those impacted by the breach, including the Department of Energy’s National Nuclear Security Administration, which, as is frequently emphasized in the press coverage of the crisis, is in charge of the US nuclear stockpile (Lin, 2020). Though there is no evidence at this point, experts believe there is a high probability that additional elements of the attack remain undetected. Some networks may still be actively being monitored by Russian elements. Another fear is that hackers implanted logic bombs, which can be set to wreak havoc on future dates (Lin, 2020).

The implications of the breach shook consumer and constituent confidence in US companies, departments, and agencies (Lin, 2020). Senators Richard Durbin and Mitt Romney declared the SolarWinds attack as akin to an invasion of US sovereignty (Lin, 2020).

The US has been guilty of even more blatant “virtual invasions” as well. From World War II up until 2018, Swiss company Crypto AG was utilized by 120 foreign governments to encrypt their communications, and at its peak facilitated 40% of the world’s diplomatic correspondence (Miller, 2020). In February 2020, it was revealed that rather than being a private security company, the CIA had managed and later purchased Crypto AG. The company was a joint US/German intelligence venture that allowed those entities to access encrypted customer data (Lin, 2020). The operation was first code-named Thesaurus and later Rubicon (Miller, 2020). Intelligence on the Iranian hostage crisis, the Falklands War, the 1986 Berlin disco bombing, and possibly multiple assassination attempts/ethnic cleansings were obtained by the CIA through this program. The CIA may have shared this intelligence with its Five-Eye nation partners/close allies (Miller, 2020).

Kaspersky, a Russian anti-virus company, and China’s Huawei are suspected of being similar to Crypto AG in that they likely have built-in back doors for their respective parent government’s spy agencies (Miller, 2020).

There is a continued risk that elements of the malware remain active in the US Treasury, Homeland Security, and Energy departments, meaning that Russian actors may have continued eyes on traffic of national security (Lin, 2020). It will be enormously costly in terms of financing, labor hours, and data loss, but there is the possibility that the only way to ensure that those networks are safe is to reconstruct them from the ground up (Lin, 2020).

Policies and Policy Gaps

The SolarWinds breach is considered an act of cyber espionage by US intelligence agencies (Morris and Hackett, 2021). The current policy on international spying is that espionage, per se, is a “tolerated feature of international relations” that might result in condemnation or sanctions but is usually not a catalyst for war (Muggah, 2021). The former Obama Administration Cyber Czar previously stated “… anything that goes beyond espionage …we reserve the right to escalate” (meaning any data manipulation or physical ramifications of the SolarWinds breach) (Morris & Hackett 2021, 66). Thus far, the SolarWinds attack does not seem to have reached beyond the designation of espionage, however, its scale is such that many are calling for a strong US condemnation/sanction.

Espionage committed by US citizens/residents is governed by the Espionage Act of 1917 which was established at the beginning of World War I by President Woodrow Wilson. The original Espionage Act imposed $10,000 fines and potentially 20-year prison sentences on violators (Partridge and Zahadat, 2018). The act has been challenged as an affront to free (specifically anti-war) speech but has been consistently upheld by the Supreme Court. In 1996, the Economic Espionage Act was passed, which punished those who stole U.S. trade secrets for the benefit of a foreign government/entity. The Economic Espionage Act may also apply to any trade secrets obtained by Russia in the SolarWinds breach, though the US does not have jurisdiction over Russian nationals. The US could, however, prosecute any US-based collaborators (Partridge and Zahadat, 2018, 29).

Some suggest that the Espionage and Economic Espionage Acts need to be updated for the current cyber threat landscape and to make reporting of corporate espionage more amendable (Partridge and Zahadat, 2018). Despite the passage of the Economic Espionage Act, businesses are hesitant to report incidents of corporate espionage, for fear that the news will hurt their sales/professional reputations. Equifax served as a cautionary tale; after going public with their breach, they saw a mass exodus of clientele (Partridge and Zahadat, 2018).

Concerningly, both the Espionage and Economic Espionage Acts have been used to prosecute whistle-blowers, such as the National Security Agency (NSA)’s Thomas Drake, who raised the alarm of illegal surveillance of US persons by the NSA post 9/11. Unlike Edward Snowden, Thomas Drake went through the NSA’s Inspector General, but his concerns were dismissed. Only then did he go to the Baltimore Sun newspaper, which eventually led to him being federally prosecuted under the Espionage Acts and forced to plead guilty to a misdemeanor (Partridge and Zahadat, 2018). The Baltimore Sun did not face similar litigation as media companies are not held to the same standards as federal agencies/their agents under the Fourth Amendment (Partridge and Zahadat, 2018).

While the Fourth Amendment is the most famous piece of privacy policy, other US Acts that provide for the protection of personal data include the Privacy Act of 1974, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Freedom of Information Act (Partridge and Zahadat, 2018, 30). If personally identifying information ended up in Russian hands and was misused in the SolarWinds breach, an individual who had entrusted their personal data to one of the hacked entities might be able to make a case for damages, providing they could prove negligence.

On January 1, 2021, Congress had to overrule President Trump’s veto to pass the National Defense Authorization Act (NDAA), which created the Office of the National Cyber Director within the executive branch (Morris and Hackett, 2021, 66). The National Cyber Director will help the president coordinate cyber policy among the different federal agencies, including the Cyber Bureau at the State Department (Morris and Hackett, 2021). Previously, President Trump dealt a blow to CISA by firing its director (Morris and Hackett 2021, 67). However, the January 1, 2021 passage of the NDAA included measures to bolster CISA’s position (Morris and Hackett, 2021).

The defense supply chain that builds US warplanes utilizes private contracting companies, however, those companies are subject to certain regulations, which the cybersecurity/tech supply chain is not beholden to (Morris and Hackett, 2021). In contrast, Singapore has developed a model where the government regulates private companies via a system that heavily involves tech subject matter experts helping to format the regulations. After incorporating the tech subject matter expert’s input, the government then codifies the requirements for licensure (Colarik et al, 2017).

The US university system has not been producing enough cybersecurity professionals to keep up with the national demand: there is an estimated shortage of half the necessary personnel, with hundreds of thousands of unfilled positions nationwide (Morris and Hackett 2021, 68). To help mitigate this issue, Congress created the Cyberspace Solarium Commission to “reform U.S. cybersecurity” and cybersecurity counterintelligence (Morris and Hackett 2021, 68).

The Biden administration pledged in December to “hold accountable those responsible for the [SolarWinds] attacks” (Morris and Hackett 2021, 65). President Biden selected Anne Neuberger, a leader within the NSA, to be his National Security Council cyber advisor (Morris and Hackett, 2021. President Biden’s resolve, expert council, the creation of the National Cyber Director, the State Department’s Cyber Bureau, and the new powers endowed to CISA may help in crafting policy to better protect the US from other disasters similar to what occurred with SolarWinds.

Similar regulations that govern the use of contracting companies for the defense supply chain must be applied to the US’ cybersecurity/tech supply chain (Morris and Hackett, 2021). Cybersecurity breach disclosure laws must be changed/updated to enforce and encourage more reporting. As existing European laws dictate, significant breaches should be channeled to the appropriate federal agency for further trend analysis (Morris and Hackett 2021, 69). However, the current system does not incentivize corporations sufficiently to offset the possibility of reputational/economic losses.

Application

The SolarWinds/Orion breach occurred due to multiple failures of US policy to regulate the supply chain contracting system and to promote cyber counterintelligence cooperation between the private and public sectors. Cyber counterintelligence as a field of academic study needs to develop a cohesive, comprehensive theory that encompasses not only insider threats but also technological developments and better cyber infrastructure protections. Once a unified theory is in place, public academia will have a clearer path forward and will be able to contribute more to the field. More than anything, the SolarWinds attack demonstrates the need for better public/private cooperation in the cyber counterintelligence and cybersecurity fields.

Part of the public sector’s responsibility includes warning the private sector of potential Russian/Chinese proprietary backdoors in Kaspersky and Huawei products. For guidance from cyber government agencies, like CISA, to have authority with the American people, the executive branch needs to support and listen to CISA’s counsel and give them a seat at the decision-making table, thereby bolstering their public standing.

It is worth noting that if the US would prefer not to be the victim of state-sponsored espionage via backdoors in proprietary software, it needs to abstain from, or at the very least, not get caught engaging in such enterprises as it was with Crypto AG. The State Department’s Cyber Bureau should be a key partner in crafting a better American International Cyber Policy that discourages nations, perhaps including the US, from abusing proprietary software.

Conclusion

Cybersecurity policy and laws in the US need to be updated to meet the current threat landscape. CISA needs to have a seat at the table to assist in executive/legislative decision-making, stricter breach-disclosure laws need to be created, the ICT SCRM chain needs to be regulated, and more cybersecurity/cyber counterintelligence personnel need to be trained through the university system in a public/private cooperative effort. These things can be encouraged/codified via both legislative and executive action. The US invented the internet, but it is now lagging behind in the cybersecurity realm (Morris & Hackett, 2021). The above changes must be implemented as soon as possible so that the US may regain its standing in the international community and thwart future attacks.

Bibliography

Bing, Christopher, Jack Stubbs, Raphael Satter, and Joseph Menn. “EXCLUSIVE-Suspected Chinese Hackers Used SolarWinds Bug to Spy on U.S. Payroll Agency –Sources.” Reuters. Thomson Reuters, February 2, 2021. https://www.reuters.com/article/cyber-solarwinds-china/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSL1N2K82BX. 

Colarik, Andrew M., Julian Jang-Jaccard, and Anuradha Mathrani. Cyber Security and Policy: A Substantive Dialogue. Massey Defence and Security Series. Auckland, New Zealand: Massey University Press, 2017. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=nlebk&AN=1587426&site=eds-live.

Duvenage, Petrus, Victor Jaquire, and Sebastian von Solms. 2020. “Cyber Counterintelligence: Some Contours towards the Academic Research Agenda.” Proceedings of the European Conference on Cyber Warfare & Security, January, 107–16. doi:10.34190/EWS.20.053.

Hank Prunckun. 2019. Counterintelligence Theory and Practice. Vol. Second edition. Security and Professional Intelligence Education Series (SPIES). Lanham: Rowman & Littlefield Publishers. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=nlebk&AN=1989089&site=eds-live.

Morris, David Z., and Robert Hackett. “After SolarWinds: Untangling America’s Cybersecurity Mess.” Fortune 183, no. 1 (February 2021): 62–69. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=bth&AN=148372727&site=eds-live.

Muggah, Robert. “Why the Latest Cyberattack Was Different,” January 11, 2021. https://foreignpolicy.com/2021/01/11/cyberattack-hackers-russia-svr-gru-solarwinds-virus-internet/.

Partridge, Whitney, and Nima Zahadat. 2018. “A Look at the Espionage Act of 1917 for the Internet Age.” ISSA Journal 16 (11): 27–31. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=tsh&AN=132806093&site=eds-live.

“CVE-2020-14005.” CVE. Accessed January 2, 2021. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14005. 

FireEye. “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.” FireEye, December 13, 2020. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html. 

Flor, Nick V., and Kenneth Guillory. 2011. “Technology Corner: Internet Packet Sniffers.” Journal of Digital Forensics, Security & Law 6 (1): 77–84. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=tsh&AN=63020145&site=eds-live.

Harris, Carol C. 2020. “INFORMATION TECHNOLOGY: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” GAO Reports, December, i-68. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=f6h&AN=147666046&site=eds-live.

“How Orion Platform Products Work.” Documentation for SolarWinds. Accessed January 3, 2021. https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-How-Orion-Works-sw1625.htm. 

Lin, Herb. “Reflections on the SolarWinds Breach.” Lawfare, December 29, 2020. https://www.lawfareblog.com/reflections-solarwinds-breach. 

Miller, Greg. “The CIA Secretly Bought a Company That Sold Encryption Devices across the World. Then Its Spies Sat Back and Listened.” The Washington Post. WP Company, February 11, 2020. https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/. 

“Multiple Vulnerabilities in SolarWinds Orion Could Allow for Arbitrary Code Execution.” CIS. Accessed January 2, 2021. https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-solarwinds-orion-could-allow-for-arbitrary-code-execution_2020-166/. 

PR Newswire. 2020. “Organizations Impacted by SolarWinds Breach Need Long-Term Strategy.” PR Newswire US, December 21. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=bwh&AN=202012211154PR.NEWS.USPR.PH30780&site=eds-live.

Turton, William, and Kartikay Mehrotra. “FireEye Discovered SolarWinds Breach While Probing Own Hack.” Bloomberg.com, December 15, 2020, N.PAG. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=bth&AN=147620438&site=eds-live.

Bibliography

Colarik, Andrew M., Julian Jang-Jaccard, and Anuradha Mathrani. Cyber Security and Policy : A Substantive Dialogue. Massey Defence and Security Series. Auckland, New Zealand: Massey University Press, 2017. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=nlebk&AN=1587426&site=eds-live.

Muggah, Robert. “Why the Latest Cyberattack Was Different,” January 11, 2021. https://foreignpolicy.com/2021/01/11/cyberattack-hackers-russia-svr-gru-solarwinds-virus-internet/.

“CVE-2020-14005.” CVE. Accessed January 2, 2021. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14005. 

Lin, Herb. “Reflections on the SolarWinds Breach.” Lawfare, December 29, 2020. https://www.lawfareblog.com/reflections-solarwinds-breach. 

Turton, William, and Kartikay Mehrotra. “FireEye Discovered SolarWinds Breach While Probing Own Hack.” Bloomberg.Com, December 15, 2020, N.PAG. https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=bth&AN=147620438&site=eds-live.