SolarWinds makes software for managing networks and infrastructure. Its Orion software was the target of an advanced cyberattack in 2020. Hackers acquired superuser access to certificates used to sign SAML tokens. This certificate was used to forge new tokens to allow hackers highly privileged access to networks.

Attackers may have compromised internal build or distribution systems of SolarWinds, embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll. This backdoor could then be distributed via automatic updates in target networks.

The malicious DLL called out to a remote network infrastructure using the domain avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data.

The Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21–01 in response to the incident, advising all federal civilian agencies to disable Orion.

Ref. https://web.archive.org/web/20201220053318/https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/