Inside Solorigate: A Threat Intelligence Repository for History's Most Sophisticated Supply Chain Attack

Hook

When nation-state attackers compromised SolarWinds Orion in 2020, they gained access to 18,000 organizations including Fortune 500 companies and US government agencies—making it the most consequential supply chain attack in history.

Context

The Solorigate attack (also known as SUNBURST) represented a paradigm shift in cybersecurity. Between March and June 2020, attackers inserted a backdoor into SolarWinds Orion—a network monitoring platform used by thousands of organizations worldwide. The malicious code was digitally signed, passed through build pipelines, and distributed via legitimate software updates. By the time FireEye discovered the breach in December 2020, the attackers had months of undetected access to victim networks.

In the immediate aftermath, security teams faced a critical challenge: how do you detect if you've been compromised when the attack vector was a trusted software update? The cyware-labs/Solorigate repository emerged as one of many community efforts to aggregate indicators of compromise (IOCs), detection rules, and response guidance. It represents a snapshot of collective threat intelligence from the security community during those critical early weeks when organizations scrambled to assess their exposure.

Technical Insight

Unlike traditional software repositories containing application code, threat intelligence repositories like Solorigate organize artifacts for detection and response. The structure reveals how security teams operationalize threat intelligence across different layers of their defensive stack.

The repository aggregates IOCs across multiple categories. File hashes (MD5, SHA1, SHA256) identify known malicious binaries, network indicators (IP addresses and domains) flag command-and-control infrastructure, and detection rules translate these indicators into queries for security tools. For example, the YARA rules—written in the repository's primary language—provide pattern-matching signatures for identifying malicious files:

rule SUNBURST_APT_Backdoor {
    meta:
        description = "Detects SUNBURST backdoor"
        author = "FireEye"
        date = "2020-12-13"
    strings:
        $sb1 = "SolarWinds.Orion.Core.BusinessLayer.dll" ascii
        $sb2 = "ReportWatcher" ascii
        $sb3 = "Update.cs" ascii
        $sb4 = { 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E }
    condition:
        uint16(0) == 0x5A4D and filesize < 500KB and all of ($sb*)
}

This rule looks for the PE header (0x5A4D), constrains file size, and requires all four string patterns to match. YARA rules like this run at various control points—email gateways, endpoint detection systems, or during forensic analysis of disk images.

The repository also includes Splunk queries that translate IOCs into Search Processing Language (SPL) for log analysis:

index=proxy OR index=dns 
| search 
    avsvmcloud.com OR 
    digitalcollege.org OR 
    freescanonline.com OR 
    deftsecurity.com OR 
    thedoccloud.com
| table _time src_ip dest_ip dest_host url
| sort -_time

This query searches network logs for known malicious domains associated with Solorigate's command-and-control infrastructure. The practical challenge is that raw IOCs require context—a domain might be legitimately accessed before being weaponized, or IP addresses could be reassigned to benign services after the attack.

The MITRE ATT&CK mapping provides that context by documenting the specific tactics and techniques used in the attack: Initial Access via trusted relationships (T1199), Persistence through valid accounts (T1078), and Command and Control through Application Layer Protocol (T1071). This framework helps defenders understand not just what to look for, but how the attack progresses through its lifecycle.

Perhaps most interesting is the documented kill switch mechanism. The SUNBURST malware checked for specific DNS resolutions and would terminate if it detected sandbox environments or analysis. Security researchers discovered that resolving certain domains could effectively neutralize active infections—a defensive technique that worked because attackers built detection evasion directly into the malware.

The repository also includes STIX 2.1 formatted intelligence—a structured JSON format for threat information exchange. STIX objects represent relationships between indicators, threat actors, and attack patterns in a machine-readable format that threat intelligence platforms can consume programmatically. This standardization is crucial because modern security operations centers handle thousands of indicators daily; manual processing doesn't scale.

Gotcha

The fundamental limitation of this repository is temporal decay. Threat intelligence has a shelf life—IOCs become stale as attackers rotate infrastructure, detection rules generate false positives as legitimate services adopt similar patterns, and response playbooks become outdated as new mitigation techniques emerge. With only 3 stars and no apparent updates since late 2020, this repository represents a historical snapshot rather than living intelligence.

The lack of confidence scoring or temporal metadata compounds this issue. Not all IOCs are equally reliable—some come from high-confidence sources like FireEye's direct forensic analysis, while others might be community-contributed observations with higher false-positive rates. The repository presents all indicators as flat text files without context about validation status, first-seen dates, or last-observed timestamps. Production security operations require this metadata to tune detection systems and prioritize alerts.

There's also no automation layer. Modern threat intelligence platforms ingest feeds via APIs, automatically update detection rules, and provide feedback loops when indicators prove useful or generate false positives. This repository requires manual extraction and translation into whatever format your security tools consume—a friction that limits its operational utility. For organizations affected by Solorigate in 2020, this was acceptable because any intelligence was valuable. In 2024, defenders need continuously updated, validated, and scored intelligence feeds.

Verdict

Use if: You're conducting historical research on supply chain attacks, teaching a course on threat intelligence operations, performing forensic analysis on systems potentially compromised during the 2020-2021 timeframe, or building a timeline of the Solorigate disclosure and response. The repository provides valuable educational content about how the security community mobilizes around major incidents and offers insight into the structure of threat intelligence artifacts. Skip if: You need current threat intelligence for production security operations, require automated IOC ingestion into security tools, want validated and scored indicators with confidence levels, or are looking for comprehensive Solorigate coverage with recent updates. Active alternatives like MISP, AlienVault OTX, or commercial threat intelligence feeds provide continuously updated, machine-readable intelligence with the metadata and automation that modern SOCs require.