← Home·Gallery·Techniques
Threat Intelligence Tarot
wands · 4
Russia (SVR-linked)
G0118
risk 5/5
The Invisible Chain
UNC2452
SolarWinds attackers · NOBELIUM · Cozy Bear (disputed) · Dark Halo
US federal agenciesTreasuryDHSState Department18,000 SolarWinds customers
Active since ~2019 · US government espionage, Supply chain weaponization, Intelligence community access
It did not break into the agencies. It was invited in - installed with a software update, cryptographically signed, trusted by every security tool that checked. For nine months, The Invisible Chain moved through the US government undetected, because it arrived as a legitimate patch.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1195.002
Compromise Software Supply Chain
Initial Access
T1036
Masquerading
Defense Evasion
T1070
Indicator Removal
Defense Evasion
T1550.001
Application Access Token
Lateral Movement
T1568
Dynamic Resolution
Command and Control
T1134
Access Token Manipulation
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • SolarWinds Orion supply chain compromise - SUNBURST backdoor (2020)
  • Undetected for 9 months across US government networks
  • US Treasury and Commerce Department email compromise
  • FireEye red team tools stolen and disclosed
Defenses
  • Software supply chain integrity verification and SBOM tracking
    NIST CSF: ID.SC
  • Zero-trust network architecture - no implicit trust for internal traffic
    CISA Zero Trust Maturity
  • Detection of anomalous OAuth token usage and API access
    NIST CSF: DE.CM
  • Privileged access workstations for sensitive administrative tasks
    CIS Control 12
Reversed: Their Weakness
The SolarWinds intrusion was discovered not by a government agency but by a private security firm - FireEye - who noticed their own red team tools had been stolen. The chain of discovery exposed significant gaps in federal detection capabilities.

Share this adversary profile

swipe to browse

← PreviousThe WrenchNext →The Saboteur
Related Adversaries
The Shadow Court
APT29
4 shared TTPs
The Ten Thousand
APT41
3 shared TTPs
The Supply Chain Reader
SilverFish
2 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.