CSINT Research Workstation
Disclaimer

This lab uses public incident reporting and sanitized synthetic artifacts for defensive OSINT training. Real incidents are referenced for educational context only. The interactive data is fictionalized and must not be used to identify, contact, expose, or accuse real people.

← Back to Incident Lab
Case 01 / Supply Chain2020

SolarWinds Orion Compromise

Reconstruct the timeline and analyze public indicators of compromise (IOCs) from the SolarWinds Orion supply-chain attack.

Source Assessment

Excellent. Coordinated disclosures between government intelligence bodies and premier global cybersecurity vendors.

Last Audited:2026-05-23

Incident Brief & Analytical Mission

In late 2020, security researchers discovered a highly sophisticated, state-sponsored supply-chain attack targeting SolarWinds Orion network management software. Attackers compromised the software build system, injecting a backdoor (known as SUNBURST) into legitimate updates distributed to thousands of public and private sector organizations worldwide. The campaign was characterized by extreme operational security and slow, deliberate evasion techniques.

Investigative Mission

As a defensive analyst, you must reconstruct the compromise timeline using CISA advisory metadata, evaluate vendor responses, map the backdoor's behavior through defanged public IOCs, and separate confirmed facts from early attribution hypotheses.

Evidence Console#01 / 03

Compromise Execution Timeline

Reconstructed chronological events based on public reports. Highlight key anomalies.

Sept 2019Anomalous Access

Attackers gain initial unauthorized access to SolarWinds development network.

Nov 2019Silent Probe

First test code injected into Orion build pipeline (no payload, checking build stability).

Feb 2020Compromise compiled

SUNBURST backdoor payload compiled and digitally signed into SolarWinds release version 2019.4 HF 5.

March 2020Distribution

Legitimate, signed hotfix package containing SUNBURST uploaded to official customer portal.

Dec 2020Disclosure

Incident publicly disclosed by FireEye, SolarWinds, and CISA.

Investigative Checklist Tasks

  • 01

    Review the chronologically ordered timeline cards to identify the exact duration the backdoor remained undetected in the wild.

  • 02

    Analyze the synthetic IOC table to determine the primary DNS C2 domain used for initial system check-in.

  • 03

    Separate forensic facts (signed DLL, DGA domain resolutions) from attribution claims (hypothetical nation-state actors).

  • 04

    Write a safe, defensive final assessment in the Evidence Notebook using proper uncertainty labels.

Analyst Notebook

Evidence Notebook

Use this panel to log individual threads of evidence. Your entries are saved locally in this browser only.

No evidence records logged yet.

Report Desk

Report Drafting Board

REPORT PREVIEW
# CSINT Incident Lab Report

## Research Question
What was the duration and primary mechanism of the SUNBURST command and control check-in?

## Summary
No analyst summary provided yet.

## Fact
- No forensic facts recorded in the notebook.

## Signal
- No analytical signals logged.

## Inference
- No alternative explanations recorded.

## Recommendation
- No next-pivot recommendations recorded.

## Confidence
Low

## Limitations
No limitation notes entered.

## Source reliability
Not assessed. Annotate each source with its reliability tier before publishing.

## Information validity
Not assessed. Confirm whether each item is directly observed, reported, or inferred.

## Missing context
Not recorded. List what data is missing or could not be verified from public sources.

## Next safe steps
- No next safe steps specified.

## Sources used
- No source references listed.

---
Generated at: 2026-06-09T20:13:46.544Z