How Volexity Discovered the SolarWinds Hacking Campaign
An interview with Volexity President Steven Adair about how his team stumbled upon the "cyber espionage campaign of the decade" — but didn't know it — five months before it got publicly exposed.
In the summer of 2020, the security firm Volexity was doing incident-response on a U.S. think tank’s network for a run-of-the-mill breach when they realized a second, more sophisticated band of hackers were inside the network as well. This group — which Volexity dubbed “Dark Halo” — was stealing email from policy wonks and others who worked for the think tank.
Volexity booted the group out of the network but they returned using a backdoor they had planted on a think tank system back in 2016 — they had left it on the network for three years as a contingency plan in order to get back in if they were ever booted out. Volexity kicked them out again and deleted the backdoor, only to have the hackers return in the spring of 2020, using a vulnerability in the organization’s Microsoft Exchange server. Microsoft had released a patch for the vulnerability a few months earlier, but the think tank had not applied it to their server.
Once in the network this time, the hackers — believed to be linked to Russia’s foreign intelligence service known as the SVR — used a stealthy technique the Volexity investigators had never seen before to bypass the think tank’s Duo multi-factor authentication system and steal email from an account. They used a username and password for the email account, but tricked the system into letting them in without a multi-factor code.
Volexity kicked them out again, only to discover them in the think tank’s network yet again a few months later. How they got in this time was a mystery. Investigators traced their activity back to a server that was running software made by the Austin-based company SolarWinds. They suspected the software, called Orion, had a backdoor embedded in it that the hackers had used to slip into the network. But Volexity was unable to find the malicious portal.
They booted the hackers out one final time, but the mystery of how they got in lingered for months — that is, until the security firm Mandiant revealed in December that it had discovered a backdoor in the Orion software. The revelation exposed what has become known as the cyber espionage campaign of the decade.
I told some of the story of Volexity’s showdown with the hackers in a feature article published in WIRED magazine’s upcoming June issue. Here I’m providing paid subscribers of Zero Day with an interview I did with Volexity President Steven Adair in March 2021, recounting how his team of sleuths encountered the Russian hackers in the think tank’s network multiple times over many months. Adair talks about the luck that led them to the discovery, the frustration of not being able to solve the mystery around how the hackers got in the final time, and the relief months later when Mandiant confirmed what Adair’s team had suspected all along but had not been able to prove. The interview has been edited for length, clarity and flow.