Strauss Center News

Updates from the Strauss Center and our affiliated distinguished scholars and fellows


Chesney Releases an Updated eCasebook and a Case Study on the SolarWinds Hack

Sep 9, 2021 |

Professor Robert Chesney recently published an updated version of his eCasebook—“Cybersecurity Law, Policy, and Institutions”—with a special case study on the Russian cyber-espionage campaign against SolarWinds. Professor Chesney is the Director of the Strauss Center and holds the James Baker Chair and serves as the Associate Dean for Academic Affairs at the University of Texas School of Law. Professor Chesney begins this case study by describing SolarWinds and the services it offers—namely, providing customers with network-management tools. Its customers, Chesney notes, include both private companies and government agencies. Chesney then moves to describe the specific vulnerability exploited in this instance of espionage: a routine update of SolarWind’s network-monitoring system called Orion.

Professor Chesney also provided some background information on the group responsible for the attack: Russia’s Foreign Intelligence Service, known as SVR. After providing this overview of the basic details of the case study, Professor Chesney discusses the specifics of the infiltration in six steps. Step one was “accessing the SolarWinds ‘build environment’” meaning the process by which the SVR penetrated SolarWind’s development environment without detection. Step two—“injecting malware into an Orion update”—details the trojan horse-esc approach used by the SVR to place malicious code into SolarWind’s remote-update mechanism. Chesney’s discussion of step three, “deciding where to take advantage of SUNBURST,” provides an overview of the how the SVR selectively chose targets from the many infected customers in order to avoid detection while maximizing the exploitation of specific targets. The next natural step was the injection of “the tools needed to act effectively within targeted systems,” as SUNBURST served as a mere backdoor and did not deliver any malware. Step five—“swimming upstream to the cloud”—refers to the process by which the SVR penetrated a user’s cloud environment, where the richest intelligence tends to be stored. The sixth and final step, “don’t get caught,” lasted until December 2020 when one of the targets caught wind of the exploitation and sounded the alarm bells. Read the full case study here.