Episode 03: The SolarWinds Attack — Technical Breakdown
They didn't break in. They were invited. By a software update every security system confirmed was legitimate.
This is the companion technical breakdown for Zero Day Logs Episode 03.
In 2020, a foreign intelligence service walked through the front doors of the US Treasury, the Department of Homeland Security, and parts of the Department of Defense. They were invited by a software update that every security check confirmed was completely legitimate. Because it was.
The full technical breakdown covers the SUNBURST backdoor architecture — the build pipeline compromise, the 12-14 day sandbox evasion, DNS covert command-and-control, and the selective activation of approximately 100 of 18,000 infected networks. It documents how FireEye’s investigation of its own breach exposed one of the largest intelligence operations in history, the three missing controls and what each would and would not have stopped against a nation-state adversary, and the formal attribution to APT29 and the Russian SVR.
It also covers what changed after — from Executive Order 14028 mandating software bills of materials, to the SEC case against SolarWinds that was dismissed in November 2025.
