Common Questions

What happened in the SolarWinds hack?: In 2020, Russia's SVR compromised SolarWinds' Orion software update, installing a backdoor (SUNBURST) on approximately 18,000 government and corporate networks, including multiple US federal departments. It is the primary reference case for software supply-chain attacks.Source: CISA / FCEB
Why does everyone still talk about SolarWinds in 2026?: SolarWinds established identity and trusted-software channels as primary attack surfaces. The 2026 Stryker MDM wipe is the most direct successor: Handala achieved 200,000-device impact via a single identity credential, confirming the SolarWinds lesson was not operationally absorbed.Source: Lowdown analysis

Background

SolarWinds was the reference event in the Stryker incident analysis: the 2020 SUNBURST supply-chain compromise and the 2022 Okta Lapsus$ access together established "identity is the new perimeter" as industry doctrine. The Stryker MDM wipe is assessed in the briefing as the first post-doctrine demonstration that the identity plane can be weaponised at 200,000-device scale with zero malware, despite five years of Zero Trust adoption rhetoric.

SolarWinds is a US IT management software company whose Orion platform was compromised in 2020 via a malicious update (SUNBURST) that installed a backdoor on approximately 18,000 government and corporate networks. The affected networks included the US Treasury, Commerce, State and Energy departments. The attack is widely attributed to Russia's SVR (Foreign Intelligence Service). The SEC subsequently brought charges against SolarWinds and its CISO over alleged inadequate disclosures about the incident.

For the cybersecurity industry, SolarWinds established supply-chain compromise and trusted-software-update abuse as primary attack vectors. The Stryker comparison illustrates how adversaries are not merely repeating the SolarWinds playbook but extending it: from supply-chain compromise to direct identity-plane abuse via legitimate administrative tools, removing even the need for a malicious software update.

How the World Sees Them

Russia (SVR)

The SUNBURST campaign demonstrated that supply-chain compromise can achieve mass-scale persistent access at lower operational cost than direct-exploitation campaigns; the technique is now a benchmark.

US government

SolarWinds was the defining moment for US federal cyber posture reform; the 2021 executive order on cyber and the CISA KEV programme are direct consequences of the incident.

Enterprise CISOs

SolarWinds established the identity-as-attack-surface doctrine; Stryker in 2026 is the operational proof that the doctrine did not translate into adequate MDM and identity-plane controls.