Guidance for partners on recent nation-state cyberattacks

People working in Microsoft Cybersecurity Operations Center

Update December 31, 2020: The Microsoft Security Response Center team has published an update on our internal Solorigate investigation and additional guidance.

Update December 28, 2020: The Microsoft 365 Defender team has published a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment.

Microsoft is aware of a sophisticated supply chain attack that has targeted a variety of victims over the past year. The attack utilizes malicious SolarWinds files that possibly gave cybercriminals access to some victims’ networks. Microsoft cybersecurity experts are investigating the attack to help ensure that Microsoft customers are as secure as possible. 

On December 17, 2020, Microsoft President Brad Smith posted a blog sharing the most up to date information and detailed technical information for defenders.  

As this is an ongoing investigation, Microsoft cybersecurity teams continue to act as first responders to these attacks. We know that customers and partners will have ongoing questions and Microsoft is committed to providing timely updates as new information becomes available. We will make updates through our Microsoft Security Response Center (MSRC) blog. 

Partners should secure their environments and follow up with their customers to assist them with securing their environments. Below, we’ve provided the latest links and information you can use when communicating with customers. 

Resources  

Advisories  

  • If your customer has a specific question regarding FireEye, refer them to the FireEye Advisory.  
  • If your customer has a specific question regarding SolarWinds, refer them to the SolarWinds Advisory.  
  • The Cybersecurity and Infrastructure Security Agency (CISA) has published a set of information and guidance here: https://us-cert.cisa.gov/ncas/alerts/aa20-352a. For individual country-specific guidance, customers and partners should refer to information from the appropriate law enforcement or other government entity in that jurisdiction.