AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

SolarWinds Supply Chain Compromise

The SolarWinds compromise demonstrated how a trusted software update path could be abused to gain access across government and enterprise environments, followed by credential access, lateral movement, and long-term stealthy collection.

MITRE ATT&CKConfidence: high
T1195.002T1078T1110.003T1558.003

How The Activity Unfolds In ATT&CK

SolarWinds starts at the supply chain, then expands through account access and credential attacks. ATT&CK makes the operational path visible: trusted code distribution creates access, valid accounts reduce friction, and credential techniques support continued movement.

  1. T1195.002 Compromise Software Supply Chain. A trusted update mechanism becomes the first access path.
  2. T1078 Valid Accounts. The actor uses legitimate accounts to blend into enterprise identity flows.
  3. T1110.003 Password Spraying. Low-and-slow authentication attempts support access expansion.
  4. T1558.003 Kerberoasting. Kerberos service ticket abuse supports credential theft and privilege expansion.

Defender Readout

This activity belongs in the top set because it links supplier trust, identity abuse, and credential access into one operational chain. Defenders should treat it as a reference case for supply-chain detection and identity telemetry correlation.

Evidence And Mapping Rationale

T1195.002Compromise Software Supply Chain
Compromise Software Supply Chain

MITRE maps the campaign to abuse of a trusted software supply chain as the initial compromise path.

T1078Valid Accounts
Valid Accounts

MITRE maps the campaign to use of legitimate accounts during post-compromise operations.

T1110.003Password Spraying
Password Spraying

MITRE lists password spraying as a technique used to obtain access without relying on noisy brute force.

T1558.003Kerberoasting
Kerberoasting

MITRE maps the activity to Kerberoasting for credential material targeting.