Campaign · all campaigns
SolarWinds CompromiseC0024 state
🇷🇺 RU · SVR
aka SolarWinds Compromise
Run by APT29
Last updated: 2026-07-03
About this actor
The [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) was a sophisticated supply chain cyber operation conducted by [APT29](https://attack.mitre.org/groups/G0016) that was discovered in mid-December 2020. [APT29](https://attack.mitre.org/groups/G0016) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.(Citation: CrowdStrike StellarParticle January 2022) Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.(Citation: SolarWinds Advisory Dec 2020)(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)(Citation: Unit 42 SolarStorm December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: Microsoft Internal Solorigate Investigation Blog) In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)(Citation: Mandiant UNC2452 APT29 April 2022) The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2021 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2020-8554 | 6.0 | 6.3 | 0.3120 | 2021-01-21 | see CVE |
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1003T1003.006T1005T1016T1016.001T1018T1021T1021.001T1021.002T1021.006T1036T1036.004T1036.005T1047T1048T1048.002T1053T1053.005T1057T1059T1059.001T1059.003T1059.005T1069T1069.002T1070T1070.004T1070.006T1070.008T1071T1071.001T1074T1074.002T1078T1078.002T1078.003T1078.004T1083T1087T1087.002T1090T1090.001T1098T1098.001T1098.002T1098.003T1098.005T1105T1114T1114.002T1133T1140T1190T1195T1195.002T1199T1213T1213.003T1218T1218.011T1482T1484T1484.002T1539T1546T1546.003T1550T1550.001T1550.004T1552T1552.004T1553T1553.002T1555T1555.003T1558T1558.003T1560T1560.001T1568T1583T1583.001T1584T1584.001T1587T1587.001T1589T1589.001T1606T1606.001T1606.002T1665T1680T1685T1685.001T1686
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 59 / 96 | 61% |
CM-6 | 58 / 96 | 60% |
AC-3 | 55 / 96 | 57% |
AC-6 | 52 / 96 | 54% |
AC-2 | 50 / 96 | 52% |
CM-2 | 46 / 96 | 48% |
CM-7 | 39 / 96 | 41% |
IA-2 | 38 / 96 | 40% |
CA-7 | 37 / 96 | 39% |
AC-5 | 36 / 96 | 38% |
CM-5 | 34 / 96 | 35% |
SI-3 | 32 / 96 | 33% |
SI-7 | 32 / 96 | 33% |
AC-4 | 26 / 96 | 27% |
SC-7 | 24 / 96 | 25% |
Co-occurring actors
- APT29 2 shared CVEs
- Mustang Panda 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
Similar actors
Similar TTPs
- Operation Wocao 0.35
- Chimera 0.31
- FIN13 0.31
- Magic Hound 0.30
- APT41 0.29
Active in same years
- SharePoint ToolShell Exploitation 2.00
- APT29 2.00
- Leviathan 2.00
- C0018 1.00
- Operation Dream Job 1.00
Same nation-state
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00