By | Posted on: 7 May 2026
SolarWinds: How One Vendor Credential Reached 18,000 Organisations Including the US Government
On 13 December 2020, cybersecurity firm FireEye disclosed that nation-state attackers had infiltrated SolarWinds' Orion network management software, creating what would become the most significant supply chain cyberattack in history. The breach exposed a fundamental vulnerability in how organisations manage vendor access: a single compromised credential cascade through 18,000 customers, including nine US federal agencies and Fortune 500 companies.
The attack began with attackers inserting malicious code into SolarWinds' software updates between March and June 2020. When customers installed routine updates, they unknowingly granted attackers persistent access to their networks. This breach demonstrated how vendor credential management failures can transform trusted business relationships into national security threats.
The Critical Gap in Government Vendor Access Control
Defence and public sector organisations face a unique challenge in vendor credential management. Unlike private companies that can limit third-party access, government agencies require extensive contractor and vendor integration for everything from IT infrastructure to classified research programmes. Each vendor relationship creates potential attack vectors through shared credentials, privileged access, and interconnected systems.
The SolarWinds incident exposed how traditional credential management approaches fail at scale. Government agencies typically manage vendor access through manual processes, shared accounts, or basic identity management systems that assume credentials remain secure once issued. This assumption proved catastrophic when attackers gained access to SolarWinds' internal systems and leveraged existing vendor credentials to move laterally across customer networks.
The attack succeeded because it exploited the trust relationship between vendors and customers. SolarWinds' legitimate credentials provided attackers with authorised access to customer systems, bypassing traditional perimeter security controls. For government agencies handling classified information or critical infrastructure, this represented a complete failure of access control architecture.
The Scale of Compromise: By the Numbers
The SolarWinds breach affected approximately 18,000 organisations that downloaded compromised software updates, according to SolarWinds' own SEC filings. However, the attackers demonstrated strategic targeting, with Microsoft estimating that fewer than 1,000 organisations were actually compromised through follow-on activities.
Among confirmed victims, nine US federal agencies were breached, including the Departments of State, Treasury, Homeland Security, Energy, and Commerce. The attackers maintained persistent access for up to nine months before detection, with some intrusions continuing for months after the initial disclosure.
Financial impact data reveals the true cost of credential compromise. SolarWinds reported spending over $18 million on incident response in 2021 alone, while facing multiple federal investigations and lawsuits. The company's market capitalisation fell by approximately $3.3 billion in the weeks following disclosure, according to financial filings.
The UK's National Cyber Security Centre identified that British government departments were among those affected, though the full extent remains classified. Similar impacts were reported across NATO allies, demonstrating how vendor credential compromise can cascade across international government networks.
Why Traditional Security Tools Failed
The SolarWinds attack succeeded despite extensive deployment of modern security tools across victim organisations. Identity and Access Management (IAM) systems failed because they authenticated legitimate SolarWinds credentials — the attackers were using valid access tokens obtained through the supply chain compromise.
Privileged Access Management (PAM) solutions, designed to control high-value accounts, proved ineffective because the attackers leveraged standard vendor access rather than obviously privileged credentials. The malicious code operated within normal software update processes, avoiding PAM monitoring focused on administrative activities.
Single Sign-On (SSO) and Multi-Factor Authentication (MFA) provided no protection because attackers bypassed these controls entirely. Once inside victim networks through legitimate SolarWinds access, attackers could move laterally without triggering authentication challenges designed for external access.
Zero Trust architectures, increasingly adopted across government agencies, failed to prevent the breach because they still relied on validating credentials rather than controlling their creation and distribution. The fundamental assumption — that credentials can be trusted once verified — remained intact and exploitable.
These tools address authentication and monitoring but do not solve the core problem: organisations cannot control credentials they allow others to create and hold. Vendor credentials, by definition, exist outside organisational control boundaries, creating persistent blind spots in security architecture.
Structural Solution: Organisational Credential Control
The SolarWinds breach demonstrates that effective security requires organisations to maintain complete control over all credentials accessing their systems, including vendor access. This means shifting from credential verification to credential generation and distribution.
Under a controlled credential model, organisations generate all access credentials centrally, distribute them in encrypted form, and maintain continuous revocation capability. Vendors and contractors never possess plaintext credentials, eliminating the possibility of credential theft or misuse. Access becomes truly unphishable because users cannot disclose credentials they do not hold.
This approach transforms vendor relationships from trust-based to verification-based. Rather than trusting vendors to secure their own credentials, organisations maintain cryptographic control over access rights. When vendors require system access, they request specific permissions that are granted through encrypted credential distribution, not permanent credential sharing.
MyCena's patented technology implements this model by ensuring users never see or control their own credentials. The system generates cryptographically secure credentials, distributes them in encrypted form, and enables instant revocation across all access points. For government agencies, this means vendor access can be controlled with the same rigour applied to classified information handling.
Implications for Defence and Public Sector Leaders
The SolarWinds breach created lasting regulatory and operational changes across government agencies. The US Executive Order on Cybersecurity (EO 14028) now mandates specific controls for software supply chains and vendor access management. Similar requirements are emerging across allied nations, creating compliance obligations that traditional security tools cannot address.
Government leaders must recognise that vendor credential compromise represents a systemic risk requiring architectural solutions, not incremental security improvements. The shift toward controlled credential distribution will become a requirement, not an option, as regulatory frameworks evolve.
Organisations should immediately audit vendor access arrangements and identify credentials existing outside their direct control. Each uncontrolled credential represents a potential SolarWinds-style compromise vector that could provide attackers with authorised access to critical systems.
The lesson from SolarWinds is clear: in an interconnected threat environment, credential control cannot be delegated to third parties, regardless of trust relationships or contractual obligations. Security architecture must assume credential compromise and design accordingly.
By | Posted on: 7 May 2026
One vendor credential. Every operator they serve. The supply chain cascade.
When hackers breached Colonial Pipeline in May 2021, shutting down America's largest fuel pipeline for six days, investigators traced the attack to a single compromised credential belonging to a former employee. That one password — likely harvested from the dark web — gave DarkSide ransomware operators access to the entire network, triggering fuel shortages across the Eastern seaboard and $4.4 million in ransom payments.
The incident exposed a fundamental vulnerability in critical infrastructure: the cascade effect of credential compromise through supply chains. One breached vendor credential can unlock access to dozens of downstream operators, creating systemic risk that regulators are only beginning to understand.
The multiplier effect in critical infrastructure
In the energy sector, a single technology vendor typically serves multiple grid operators, pipeline companies, and power generation facilities. When that vendor's credentials are compromised, attackers gain potential access to every client in their portfolio. The mathematics are stark: one successful phishing attack can multiply into dozens of simultaneous infrastructure breaches.
This supply chain credential risk is particularly acute in industrial control systems, where vendors require privileged access to monitor and maintain critical operational technology. A single engineering firm might hold administrative credentials for wind farms across three states. A SCADA software provider could have remote access capabilities across dozens of water treatment facilities.
The problem extends beyond direct vendor relationships. Subcontractors, consultants, and temporary workers create additional credential pathways, each representing potential vectors for lateral movement through interconnected infrastructure networks.
The scale of exposure
Recent data from the Cybersecurity and Infrastructure Security Agency reveals the scope of this vulnerability. CISA's 2023 Critical Infrastructure Threat Assessment identified credential compromise as the initial attack vector in 82% of successful breaches against energy sector targets, with supply chain relationships facilitating lateral movement in 67% of cases.
The Department of Energy's cyber incident reporting data shows that vendor-related breaches affect an average of 3.4 additional infrastructure operators beyond the initial target. In the most severe cases, a single compromised vendor credential has cascaded to impact up to 12 separate facilities across multiple states.
Financial losses compound accordingly. While direct breach costs for energy companies average $6.25 million according to IBM's Cost of a Data Breach Report 2023, supply chain incidents generate additional liability exposure. Colonial Pipeline's total incident costs, including business disruption and regulatory penalties, exceeded $90 million.
The North American Electric Reliability Corporation (NERC) reported 263 cyber security incidents across the bulk power system in 2022, with 34% traced to third-party credential compromise. Each incident triggered mandatory reporting requirements and potential compliance violations under NERC CIP standards.
Why current security tools fail the cascade test
Identity and Access Management (IAM) systems excel at managing internal user lifecycles but struggle with external vendor credential oversight. Most IAM platforms cannot enforce consistent credential policies across third-party relationships, creating governance gaps that attackers exploit.
Privileged Access Management (PAM) solutions address some vendor access challenges by creating secure credential vaults and session monitoring. However, they typically operate within individual organisational boundaries. When a vendor's PAM-managed credential is compromised at their home organisation, that breach can still cascade to client environments where the same vendor maintains separate access rights.
Single Sign-On (SSO) reduces credential proliferation but creates single points of failure. A compromised SSO credential grants access to multiple connected systems simultaneously. For vendors serving multiple infrastructure clients, SSO compromise amplifies rather than reduces cascade risk.
Multi-Factor Authentication (MFA) provides additional security layers but remains vulnerable to sophisticated phishing attacks. The Lapsus$ group demonstrated advanced MFA bypass techniques in their 2022 infrastructure targeting campaign, using social engineering to overcome authentication barriers.
Zero Trust architectures improve security posture by assuming breach and continuously validating access requests. However, they do not solve the fundamental problem: users still create, know, and control their own credentials. A compromised user can still authenticate legitimately within a Zero Trust framework.
Separating identity from credential control
The structural solution requires separating identity verification from credential ownership. Rather than allowing users to create and manage their own passwords and access tokens, organisations must retain complete control over credential generation, distribution, and revocation.
This principle shifts the security paradigm from "trust but verify" to "control and distribute". Under this model, users prove their identity through biometric or other verification methods, but never possess the actual credentials that grant system access. Instead, encrypted credentials are generated centrally and delivered directly to target systems without user visibility.
MyCena's patented approach implements this separation by removing human knowledge from the credential equation. Users authenticate their identity, but the organisation maintains exclusive control over the cryptographic keys that actually unlock system access. Because users never see or handle these credentials, they cannot be phished, stolen, or misused across multiple client environments.
This architecture prevents supply chain cascade failures by ensuring that even if a vendor's identity verification process is compromised, the underlying credentials remain secure and cannot be replayed against client systems. Each access session requires fresh cryptographic validation from the controlling organisation.
Regulatory convergence demands action
Multiple regulatory frameworks are converging on supply chain credential management requirements. The Transportation Security Administration's cybersecurity directives for pipeline operators explicitly require "cybersecurity risk assessments" of third-party remote access. The Securities and Exchange Commission's new cyber disclosure rules include materiality thresholds that treat vendor credential breaches as potentially reportable events.
NERC CIP-004 standards mandate "personnel risk assessments" for vendor access, while proposed updates to CIP-013 would strengthen supply chain cybersecurity requirements. The Federal Energy Regulatory Commission has indicated that future compliance examinations will focus heavily on third-party access controls.
For critical infrastructure operators, the message is clear: credential cascade risk is transitioning from a cybersecurity concern to a regulatory compliance requirement. Organisations that cannot demonstrate robust vendor credential governance face increasing scrutiny from multiple oversight bodies.
The mathematics of supply chain credential risk are unforgiving. One compromised vendor affects multiple operators. Multiple operators create systemic infrastructure vulnerability. Systemic vulnerability attracts regulatory intervention and potential enforcement action. The most effective defence is preventing the initial credential compromise through organisational control rather than user responsibility.