Alongside our industry partners and the security community, Microsoft continues to investigate the extent of the recent nation-state attack on SolarWinds. Our goal is to provide the latest threat intelligence, Indicators of Compromise (IOC)s, and guidance across our products and solutions to help the community respond, harden infrastructure, and begin to recover from this unprecedented attack. As new information becomes available, we will make updates to this article at https://aka.ms/solorigate
Executive Summary and Background Information
Microsoft is aware of a sophisticated supply chain attack that has targeted a variety of victims. The attack utilized malicious SolarWinds files that potentially gave nation-state actors access to some victims’ networks. Microsoft cybersecurity experts are investigating the attack to help ensure that customers are as secure as possible.
- December 17 A moment of reckoning: the need for a strong and global cybersecurity response.
- December 13 We published a blog outlining this dynamic threat landscape and the principles with which we are approaching the investigation.
- December 13 We published a summary of what we know about the actors methods. This post will be updated with new information as the investigation continues. Customers should look to this blog as the one stop for updates on the sophisticated attack.
Information for Security Operations and Hunters
We encourage customers to implement new detections and protections to identify possible prior campaigns or prevent future campaigns against their systems. We have published the IOC’s in this post. This list is not exhaustive and may expand as investigations continue.
We also recommend you review the IOCs provided by FireEye at Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc.
- December 21 – Understanding “Solorigate”‘s Identity IOCs – for Identity Vendors and their customers
- December 21 Advice for incident responders on recovery from systemic identity compromises
- December 18 Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect – Microsoft Security
- December 16 SolarWinds Post-Compromise Hunting with Azure Sentinel – Microsoft Tech Community
- December 16 Microsoft Azure Sentinel released guidance to help Azure Sentinel customers hunt in their environments for related activity observed with this sophisticated attack.
- December 15 – Latest Threat Intelligence (15 December, 2020) – FireEye and SolarWinds Events – Microsoft Tech Community
- Microsoft Defender antivirus and Microsoft Defender for Endpoint released protections for the malicious SolarWinds software and other artifacts from the attack.
- We have updated information about detection and potential impacts to customer environments in the Threat Analytics article within the Defender console (sign in is required).
Information for Security Admins
- December 18 For Identity professionals and Microsoft 365 admins we published a blog with guidance on how to protect Microsoft 365 from on-premises attacks.
- December 15 Ensuring customers are protected from Solorigate.
Specific guidance for Microsoft Security products and solutions
Overviews of the different Microsoft security products:
- https://docs.microsoft.com/security/
- https://docs.microsoft.com/azure/security/
- https://docs.microsoft.com/azure/sentinel/
- https://docs.microsoft.com/microsoft-365/security/
- https://docs.microsoft.com/windows/security/
Coming soon: Solorigate product specific guidance
Where can I get help and assistance?
- Customers with any product support related needs should file a Microsoft Support case at https://support.microsoft.com/contactus
- Get help in the Microsoft 365 security center, Office 365 Security & Compliance center, and Microsoft Defender Security Center by clicking on the “?” Icon in the top navigation bar.
- For deployment assistance please contact https://fasttrack.microsoft.com
Other Advisories & Additional Resources
- FireEye threat intelligence advisory: Global Intrusion Campaign Leverages Software Supply Chain Compromise.
- SolarWinds security advisory: SolarWinds Advisory.
- The Cybersecurity and Infrastructure Security Agency (CISA) has published information and guidance here: https://us-cert.cisa.gov/ncas/alerts/aa20-352a. For individual country-specific guidance, customers and partners should refer to information go from the appropriate law enforcement or other government entity in that jurisdiction.