{"id":39166,"date":"2021-01-12T19:35:06","date_gmt":"2021-01-12T19:35:06","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/"},"modified":"2021-01-12T19:35:06","modified_gmt":"2021-01-12T19:35:06","slug":"solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/","title":{"rendered":"SolarWinds malware was sneaked out of the firm&#8217;s Orion build environment 6 months before anyone realised it was there \u2013 report"},"content":{"rendered":"<p>The malware that was utilised to hack SolarWinds checked to see whether software used to compile the firm&#8217;s Orion product was running before deploying its payload, according to Crowdstrike.<\/p>\n<p>In a blog post late last night, the infosec firm said <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/01\/04\/solarwinds_malware_confirmed\/\" rel=\"noopener noreferrer\">the Orion-targeting malware<\/a>, which it codenamed Sunspot, had &#8220;several safeguards&#8221; to ensure its deployment of compromised code into new Orion builds didn&#8217;t trigger SolarWinds&#8217; suspicions.<\/p>\n<div class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",button,mpu,\" data-sm=\",button,mpu,\" data-md=\",button,banner_plus,mpu\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Orion is SolarWinds&#8217; network management software and was in wide use by a number of companies and governments. The breach first came to light when the illicit access was used to gain entry into FireEye\u2019s networks.<\/p>\n<p>In a detailed technical analysis, Crowdstrike said: &#8220;The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.&#8221;<\/p>\n<div class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",button,mpu_plusplus,\" data-sm=\",button,mpu_plusplus,\" data-md=\",button,mpu_plusplus,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250%7C300x252%7C300x600&amp;tile=3&amp;c=33YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250%7C300x252%7C300x600&amp;tile=3&amp;c=33YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>StellarParticle is Crowdstrike&#8217;s codename for whoever developed the malware. While nobody has yet made a firm public attribution, Kaspersky <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/01\/12\/solarwinds_russia_kaspersky\/\" rel=\"noopener noreferrer\">advanced the theory<\/a> that the Sunspot malware shared features with nasties emitted by the Turla crew \u2013 who have previously been linked to the Russian state. An early attribution by the Washington Post <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/12\/14\/solarwinds_fireeye_cozybear_us_government\/\" rel=\"noopener noreferrer\">linked the malware to APT29<\/a>, a known Russian hacking group, though American government officials have so far not confirmed that. It does appear to be the most likely explanation based on evidence in the public domain to date.<\/p>\n<h3 class=\"crosshead\"> <span>Avoiding detection<\/span><br \/>\n<\/h3>\n<p>Crowdstrike said when Sunspot detected \u201cthe Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built.\u201d It added: \u201cThe malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector.\u201d<\/p>\n<p>To prevent detection, Sunburst\u2019s creators \u201cincluded a hash verification check\u201d to ensure the injected malicious code \u201cis compatible with a known source file\u201d. Once the build process was complete, Sunburst waited for MsBuild.exe to exit \u201cbefore restoring the original source code and deleting the temporary InventoryManager.bk file\u201d containing its malicious code, now compiled into the Orion product.<\/p>\n<p>SolarWinds itself, in a related <a target=\"_blank\" href=\"https:\/\/orangematter.solarwinds.com\/2021\/01\/11\/new-findings-from-our-investigation-of-sunburst\/\" rel=\"noopener noreferrer\">post<\/a>, said the malicious people behind the malware had accessed its systems in September 2019, begun testing its access a week later and conducted a two month &#8220;trial run&#8221; without being detected. The Sunburst malware was deployed on 20 February 2020 and removed on 4 June last year.<\/p>\n<p>It took until 12 December for SolarWinds to realise that its build systems had been compromised to distribute signed, malicious updates to its customers. Three days after notification the company issued a patch for Orion, but the damage had long been done by then.<\/p>\n<h3 class=\"crosshead\"> <span>May have been used twice before<\/span><br \/>\n<\/h3>\n<p>SolarWinds also said in its lengthy blog post that the malware may have been used on other occasions before the FireEye compromise.<\/p>\n<p>&#8220;To date,&#8221; said the firm, &#8220;we have identified two previous customer support incidents during the timeline referenced above that, with the benefit of hindsight, we believe may be related to SUNBURST. We investigated the first in conjunction with our customer and two third-party security companies. At that time, we did not determine the root cause of the suspicious activity or identify the presence of the SUNBURST malicious code within our Orion Platform software.&#8221;<\/p>\n<div class=\"promo_article\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2021\/01\/12\/shutterstock_russia.jpg?x=174&amp;y=115&amp;crop=1\" width=\"174\" height=\"115\" alt=\"A guy hugging a bear. Presumably in Russia\"><\/p>\n<h2 title=\"In a brave move, Russian firm fingers its own govt as one possible source of cyber badness\">Kaspersky Lab autopsies evidence on SolarWinds hack<\/h2>\n<p><a href=\"https:\/\/www.theregister.com\/2021\/01\/12\/solarwinds_russia_kaspersky\/\"><span>READ MORE<\/span><\/a><\/div>\n<p>The second instance took place in November last year, &#8220;and similarly, we did not identify the presence of the SUNBURST malicious code,&#8221; said SolarWinds.<\/p>\n<p>The malware, having been used to compromise FireEye, prompted a panicked wave of reactions across the Western world once it was discovered. The US CISA infosec agency ordered American government agencies to disconnect SolarWinds appliances from their networks, while Orion is <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/12\/14\/solarwinds_public_sector\/\" rel=\"noopener noreferrer\">known to be in widespread use by the British government<\/a>.<\/p>\n<div class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",button,dbutton,mpu_plus,dmpu,\" data-sm=\",button,dbutton,mpu_plus,dmpu,\" data-md=\",button,dbutton,mpu_plus,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x100%7C300x250%7C300x251&amp;tile=4&amp;c=44YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x100%7C300x250%7C300x251&amp;tile=4&amp;c=44YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Public attention was drawn to <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/12\/16\/solarwinds_stock_sale\/\" rel=\"noopener noreferrer\">the sale of hundreds of millions of dollars of SolarWinds shares<\/a> by two US venture capital firms days before news of the hack was announced. Both firms involved, Silver Lake and Thoma Bravo, deny wrongdoing; insider trading is a criminal offence. Based on SolarWinds&#8217; own timeline, the two investors sold up before SolarWinds itself was aware of the hack: two days after the sale, the company announced it was taking on a new CEO; three days later, the hack was discovered; five days later the world was told. Sometimes there is such a thing as coincidence. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2021\/01\/12\/solarwinds_tech_analysis_crowdstrike\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Crowdstrike tech analysts explain how they think it slipped under the radar The malware that was utilised to hack SolarWinds checked to see whether software used to compile the firm&#8217;s Orion product was running before deploying its payload, according to Crowdstrike.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-39166","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SolarWinds malware was sneaked out of the firm&#039;s Orion build environment 6 months before anyone realised it was there \u2013 report 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SolarWinds malware was sneaked out of the firm&#039;s Orion build environment 6 months before anyone realised it was there \u2013 report 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-01-12T19:35:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"SolarWinds malware was sneaked out of the firm&#8217;s Orion build environment 6 months before anyone realised it was there \u2013 report\",\"datePublished\":\"2021-01-12T19:35:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/\"},\"wordCount\":770,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/\",\"name\":\"SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there \u2013 report 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2021-01-12T19:35:06+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SolarWinds malware was sneaked out of the firm&#8217;s Orion build environment 6 months before anyone realised it was there \u2013 report\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there \u2013 report 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/","og_locale":"en_US","og_type":"article","og_title":"SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there \u2013 report 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-01-12T19:35:06+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"SolarWinds malware was sneaked out of the firm&#8217;s Orion build environment 6 months before anyone realised it was there \u2013 report","datePublished":"2021-01-12T19:35:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/"},"wordCount":770,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/","url":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/","name":"SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there \u2013 report 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2021-01-12T19:35:06+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YALQ4J6J9TxuXW66eJ5dPgAAANY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/solarwinds-malware-was-sneaked-out-of-the-firms-orion-build-environment-6-months-before-anyone-realised-it-was-there-report\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"SolarWinds malware was sneaked out of the firm&#8217;s Orion build environment 6 months before anyone realised it was there \u2013 report"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=39166"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39166\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=39166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=39166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=39166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}