Details of the 2020 SolarWinds attack continue to unfold, and it may be years before the final damages can be tallied.While it is \u201chard to say\u201d if the SolarWinds software supply-chain compromise will become known as the highest-impact cyber intrusion ever, it did catch \u201cmany people off guard\u201d despite the security industry\u2019s frequent warnings that supply chains pose substantial risks, according to Eric Parizo, principal analyst of security operations at Omdia, a global research firm.The SolarWinds attack is unprecedented because of "its capability to cause significant physical consequences," says University of Richmond management professor Shital Thekdi, an expert on risk management and industrial and operations engineering. The attack "impacted critical infrastructure providers, potentially impacting energy and manufacturing capacities,\u201d she said, and created an ongoing intrusion that \u201cshould be treated as a serious event with potential for great harm.\u201dFollowing is a timeline of how events related to the SolarWinds hack have unfolded, to date.SolarWinds hack timeline (last updated March 28, 2021)December 8, 2020 How the discovery began \u2014 FireEye, a prominent cybersecurity firm, announced they were a victim to a nation-state attack. The security team reported their Red Team toolkit, containing applications used by ethical hackers in penetration tests, was stolen.December 13, 2020 Initial detection \u2014 FireEye discovered a supply chain attack while it was investigating the nation-state attack on its own Red Team toolkit.\u00a0 The researchers stumbled across evidence that attackers entered a backdoor in the SolarWinds software \u201ctrojanizing SolarWinds Orion business software updates to distribute malware.\u201d FireEye dubbed it \u201cSUNBURST.\u201dDecember 13\u00a0SolarWinds begins notifying customers, including a post on its Twitter account, "SolarWinds asks all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability."December 14\u00a0SolarWinds files an SEC Form 8-K report, stating in part that the company "has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products".On this date and next, the company issued two "hotfix" security patches to address the vulnerability.December 15, 2020 Victims named and timeline moves back \u2014 Wall Street Journal reported that the U.S. Commerce and Treasury Departments, the Department of Homeland Security (DHS), the National Institutes of Health, and the State Department were all affected. Various security officials and vendors expressed serious dismay that the attack was more widespread and began much earlier than expected. The initial attack date was now pegged to sometime in March 2020, which meant the attack had been underway for months before its detection.More technical details also began to emerge, illustrating how well the malicious activity was covered and why it was hard to detect.December 17, 2020: New victims revealed \u2014 The Energy Department (DOE) and National Nuclear Security Administration (NNSA), which maintains the U.S. nuclear weapons stockpile, were publicly named as victims of the attack.December 19, 2020: 200 more victims listed \u2014 Recorded Future, a cybersecurity firm, identified an additional list of government agencies and companies around the world that had also been attacked, but did not publicly reveal their identities.Using Twitter for his first comments on the attack, then-U.S. President Donald Trump publicly suggested that China, not Russia, was the source, and also described the hack as a hoax. U.S.\u00a0 Secretary of State Mike Pompeo and other senior members of the administration disputed these claims the same day, stating that "we can say pretty clearly that it was the Russians that engaged in this activity."December 31, 2020:\u00a0Microsoft says the Russian attackers breached some of its source code \u2014 The software giant said that the attackers could not modify code, products, or email and they did not use Microsoft goods to attack other victims. By this point, the attacks are largely thought to \u201chave begun as far back as October 2019\u2026when hackers breached the Texas company SolarWinds.\u201dJanuary 5, 2021: Joint statement by FBI, CISA, ODNI, and NSA released \u2014 The Federal Bureau of Investigations (FBI), CISA, The office of the National Director of Intelligence (ODNI), and the National Security Agency (NSA), jointly released a statement on the formation of the Cyber Unified Coordination Group, which \u201cindicates that an advanced persistent threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort.\u201dJanuary 6, 2021: CISA issues supplemental guidance \u2014 CISA\u2019s supplemental guidance required US government agencies that ran affected versions of SolarWinds Orion conduct forensic analysis; those that accept the risk of running the software comply with certain hardening requirements, and new reporting requirements by agency from department-level CIOs. The deadlines for the agency CIO reports were Tuesday, January 19, and Monday, January 25, 2021.January 27, 2021: CISA releases a report on Supernova,\u00a0 the malware \u201cthat was deployed using a vulnerability in the Orion Platform, and after the Orion Platform had been installed.\u201dJanuary 29, 2021: SolarWinds issues an advisory for both Sunburst and Supernova.February 19, 2021: Biden Administration declares intent to punish Russia for SolarWinds attack \u2014 Jake Sullivan, national security advisor, told CNN's Christiane Amanpour that President Joe Biden's administration would look at a \u201cbroad range of responses\u201d after an investigation to further pinpoint the identities of the attackers.February 23, 2021: First Congressional hearing \u2014 Microsoft and FireEye testified before the Senate Intelligence Committee on the SolarWinds attacks. A transcript and a video of the hearing is available on C-Span. Microsoft President Brad Smith said its "researchers believed at least 1,000 very skilled, very capable engineers worked on the SolarWinds hack. This is the largest and most sophisticated sort of operation that we have seen,\u201d Smith told senators. All defended their own actions before and after the attacks, and all fingers pointed at Russia as the attacker.February 26, 2021: Second Congressional hearing \u2014 The U.S. House Committee on Oversight and Reform and the House Committee on Homeland Security held a joint hearing \u201cexamining recent cybersecurity incidents affecting government and private sector networks, including the supply chain attack targeting SolarWinds Orion Software and other cyberattacks.\u00a0 On December 17, the Committees launched an investigation into the cyberattacks.\u00a0 On December 18, the Unified Coordination Group provided a classified Member briefing by telephone about the attacks.\u201dFebruary 24, 2021: SolarWinds issues a FAQ: Security Advisory. This advisory offered further guidance to SolarWinds customers on how to tell if they were affected, what steps to take, and answers to related questions.March 15, 2021: A Public Affairs spokesperson in the National Press Office of the FBI answered \u201cno comment\u201d to CSOonline.com\u2019s questions on the current status of the SolarWinds attacks, stating that \u201cthe investigation is ongoing.\u201dMarch 28, 2021:\u00a0 Reports state DHS, cybersecurity leaders' emails compromised \u2014 The Associated Press reported that the SolarWinds hackers "gained access to email accounts belonging to the Trump administration\u2019s head of the Department of Homeland Security and members of the department\u2019s cybersecurity staff whose jobs included hunting threats from foreign countries."May 29, 2021: Microsoft reports a new wave of attacks by the Russia-affiliated Nobelium gang now linked to the SolarWinds hack. This round was launched by "gaining access to the Constant Contact account of USAID," the US Agency for International Development. Using this access, the attack involved phishing emails with a link that leads to insertion of a malicious file and a backdoor that can be used for data theft.What now? What next?While the country and the world waits for the final measure of the costs and scale of the SolarWinds attack, it is clear to all that the impact continues.\u201cThere are a multitude of reasons why there could still be vulnerable systems out there or with the vulnerable systems patched an attacker could have pivoted and maintained persistence without the company knowing. Some SolarWinds customers may still be unaware that they have SolarWinds on their network. Maybe the staff that installed it isn\u2019t employed there anymore or maybe key personnel didn\u2019t hear the news or the company doesn\u2019t have the tools to detect it,\u201d warns Amanda Berlin, a security consultant and co-author of the Defensive Security Handbook. \u201cSo many environments have limited visibility into what is happening that they may never know until something goes wrong.\u201dIn any case, the future implications are considered grim if lessons learned from this are not acted upon.\u201cFrom a long-term perspective, enterprises should not only ensure they have a data exfiltration prevention program, assuming all other defenses fail, but also seek to develop a \u2018cyber kill chain\u2019 for supply-chain compromises, creating as many opportunities as possible to prevent, disrupt, or at least quickly detect them,\u201d said Omdia analyst Parizo.\u201cThis should include software risk management best practices, such as NIST's Cyber Supply Chain Risk Management (C-SCRM), and establishing a baseline set of software security requirements that must be met by any software vendor prior to a purchase,\u201d Parizo added.