Nobelium Resource Center – updated March 4, 2021

UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks and we have updated references appropriate in this document below.

Alongside our industry partners and the security community, Microsoft continues to investigate the extent of the recent nation-state attack on SolarWinds. Our goal is to provide the latest threat intelligence, Indicators of Compromise (IOC)s, and guidance across our products and solutions to help the community respond, harden infrastructure, and begin to recover from this unprecedented attack. As new information becomes available, we will make updates to this article at https://aka.ms/nobelium.  

Executive Summary and Background Information 

Microsoft is aware of a sophisticated supply chain attack that has targeted a variety of victims. The attack utilized malicious SolarWinds files that potentially gave nation-state actors access to some victims’ networks. Microsoft cybersecurity experts are investigating the attack to help ensure that customers are as secure as possible.  

Information for Security Operations and Hunters 

We encourage customers to implement new detections and protections to identify possible prior campaigns or prevent future campaigns against their systems. We have published the IOC’s in this post. This list is not exhaustive and may expand as investigations continue.  

We also recommend customers review the IOCs provided by FireEye at Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

Information for Security Admins  

Further information and guidance for Microsoft security products and solutions 

Overviews of the different Microsoft security products:  

Where can I get help and assistance? 

  • Customers with any product support related needs should file a Microsoft Support case at https://support.microsoft.com/contactus  
  • Get help in the Microsoft 365 security center, Office 365 Security & Compliance center, and Microsoft Defender Security Center by clicking on the “?” Icon in the top navigation bar.  
  • For deployment assistance please contact https://fasttrack.microsoft.com  
  • If you believe you have been compromised and require assistance through an incident response, open a Sev A Microsoft support case.

Other Advisories & Additional Resources 

Revision History

  • 2021-03-04 Added background information on naming the actor and related components as Nobelium. 
  • 2021-02-18 Added link to the Executive Summary and Background section on the Microsoft Internal Solorigate Investigation – Final Update and Turning the page on Solorigate and opening the next chapter for the security community
  • 2021-02-02 Added link to the Security Ops and Hunters section on the Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender
  • 2021-01-21 Added link to the Security Ops and Hunters section on the deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
  • 2021-01-15 Added link to the Information for Security Admins section on Microsoft Defender for Identity expands support to AD FS servers and Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
  • 2020-12-31 Added link to Microsoft Internal Solorigate Investigation Update
  • 2020-12-28 Added link to Using Microsoft 365 Defender to protect against Solorigate to Information for Security Operations and Hunters and MCAS docs link in Specific guidance for Microsoft Security products and solutions section
  • 2020-12-22: Added links to an article from Alex Weinert on Azure AD workbook to help you assess Solorigate risk in the Hunting Section
  • 2020-12-21: Published