In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce. In the following days, more departments and private organizations reported breaches.

The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware. A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided an initial entry point. Microsoft cloud products provided another, allowing the attackers to also breach victims who were not SolarWinds customers. Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim resources via single sign-on infrastructure.

In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution. U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war. President Donald Trump was silent for several days after the attack was publicly disclosed. He suggested that China, not Russia, might have been responsible for it, and that "everything is well under control".

SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack. SolarWinds did not employ a chief information security officer or senior director of cybersecurity. Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software. In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers. Furthermore, SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.

On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired. That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. The firms denied insider trading.

Multiple attack vectors were used in the course of breaching the various victims of the incident.

This is classic espionage. It's done in a highly sophisticated way ... But this is a stealthy operation.