Cyber Resilience

Campaign · all campaigns

SolarWinds CompromiseC0024 state

🇷🇺 RU · SVR

aka SolarWinds Compromise

Run by APT29

Last updated: 2026-07-03

2attributed CVEs
96ATT&CK techniques
4.8IDF score (tooling uniqueness)
0exclusive CVEs
2021–2026years active

About this actor

The [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) was a sophisticated supply chain cyber operation conducted by [APT29](https://attack.mitre.org/groups/G0016) that was discovered in mid-December 2020. [APT29](https://attack.mitre.org/groups/G0016) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.(Citation: CrowdStrike StellarParticle January 2022) Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.(Citation: SolarWinds Advisory Dec 2020)(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)(Citation: Unit 42 SolarStorm December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: Microsoft Internal Solorigate Investigation Blog) In April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)(Citation: Mandiant UNC2452 APT29 April 2022) The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2020-8554 6.06.30.31202021-01-21see CVE
CVE-2026-20929 5.57.50.01142026-01-13see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-459 / 9661%
CM-658 / 9660%
AC-355 / 9657%
AC-652 / 9654%
AC-250 / 9652%
CM-246 / 9648%
CM-739 / 9641%
IA-238 / 9640%
CA-737 / 9639%
AC-536 / 9638%
CM-534 / 9635%
SI-332 / 9633%
SI-732 / 9633%
AC-426 / 9627%
SC-724 / 9625%

Co-occurring actors

Similar actors

Similar TTPs

Overlapping CVEs