The cyber attack,]undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the
-- U.S. Treasury Department ...
-- National Telecommunications and Information Administration (NTIA),
-- part of the U.S. Department of Commerce.[42] In the following days, more departments and private organizations reported breaches.

The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware. A supply chain attack on Microsoft cloud services provided one way for the attackers to breach their victims, ... A supply chain attack on SolarWinds's Orion software, widely used in government [see Krebs on Security below] and industry ...
Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim resources via single sign-on infrastructure.

The government breach through the software Solar Winds...
SolarWinds said of its 300,000 customers, 33,000 use Orion.
Of these, around 18,000 government and private users downloaded compromised versions.
... Compromised versions were known to have been downloaded by the Centers for Disease Control and Prevention, the Justice Department, and some utility companies...

...the information stolen in the attack would increase the perpetrator's influence for years to come.
...future uses could include attacks on hard targets like the CIA and NSA,[how?] or using blackmail to recruit spies.
Cyberconflict professor Thomas Rid said the stolen data would have myriad uses. He added that
... if printed would form a stack far taller than the Washington Monument.

In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to
-- check whether they had been breached ...
-- take systems offline and
-- begin months-long decontamination procedures as a precaution.

...it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review.
Former Homeland Security Advisor Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime.

Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.

Through a manipulation of software keys, Russian hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on economic sanctions and interactions with the Federal Reserve.

U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war. President Donald Trump was silent for days after the attack, before suggesting that China, not Russia, might have been responsible for it, and that "everything is well under control".

On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks. On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to Solarwinds software.

SolarWinds unpublished its featured customer list after the hack, although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server.

Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price.
Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs.

The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.

The Administrative Office of the United States Courts initiated an audit, with DHS, of the U.S. Judiciary's Case Management/Electronic Case Files (CM/ECF) system, then stopped accepting highly sensitive court documents to the CM/ECF, requiring those documents only in paper form or on airgapped devices.

... the federal court document system was "hit hard," by the SolarWinds attackers, which multiple U.S. intelligence and law enforcement agencies have attributed as "likely Russian in origin."
... The report notes that Administrative Office (AO) of the U.S. Courts' document system "may contain highly sensitive information, including intellectual property and trade secrets, or even the identities of confidential informants...
..."the system is full of sensitive sealed filings -- such as subpoenas for email records and so-called 'trap and trace' requests that law enforcement officials use to determine with whom a suspect is communicating via phone, when and for how long...

“This would be a treasure trove for the Russians knowing about a lot of ongoing criminal investigations,” Weaver said. “If the FBI has indicted someone but hasn’t arrested them yet, that’s all under seal. A lot of the investigative tools that get protected under seal are filed very early on in the process, often with gag orders that prevent [the subpoenaed party] from disclosing the request.”