In the SolarWinds incident, hackers compromised the vendor's security software, and unaware that the breach had occurred, SolarWinds provided its customers with updates to the software that included a back door into their systems. Systems affected included Microsoft, the U.S. Department of Homeland Security, and other highly sensitive networks.
As Wolff explains, "Once the adversaries had gotten into some of those organisations' computer networks, they then started trying to root around and find ways they could get into other organisations." And down the supply chain, the hack went.
Under zero trust, the update wouldn't have been installed until it was fully vetted within the zero trust framework—even when it was coming from a trusted vendor.