[slt2021]

I am 99% percent sure the hackers are among the CUSTOMERS of Solar Winds.

That way they were able to live-test infected SolarWinds distro in their own controlled environment and develop all possible mitigations and techniques - the sheer amount of these evading techniques suggests they were built up over time, and not instantly.

Being Solar Winds customer and receiving infected updated versions every time gave them opportunity to perfect their techniques and hide for so long

At least that what I would do if I were a hacker and wanted to persist and be very careful about not getting detected

[nallerooth]

At least it would be safe to assume that they had access to several systems which received Orion updates. Given the attacker's dedication to the whole process, I'd say someone else's servers probably ran the tests for them.

[KirillPanov]

... or they hacked a (low-value, low-security, easy) SolarWinds customer first.

Then they hacked SolarWinds. Then they used SolarWinds to hack the real high-value target(s).

[totalZero]

Alternatively, it is not unimaginable for a foreign entity to bribe or otherwise compromise a SolarWinds employee.

[somurzakov]

it is much easier for highly skilled hacker to get fake identity and get employed at SW than to compromise an employee - although this is longer term play

[cutemonster]

> get fake identity

Wouldn't Google, Apple etc do background checks that discovered fake identities? Or is it not so easy with background checks?

Maybe SolarWinds would be less careful though?

[slt2021]

nation state spies can get fake identities issued legally by their own government and will be confirmed as usual during the background check

[cutemonster]

Ok. That's interesting.

I incorrectly assumed they'd try to get a fake US passport/identity.