Cyber Incident Victim: Microsoft
Date:
Dec 2020
Location:
United States of America
Summary
Microsoft was breached through trojanized SolarWinds Orion software updates as part of a state-sponsored supply chain attack, with hackers accessing its internal network and allegedly leveraging its products to facilitate further intrusions against other entities. The company confirmed detecting and isolating malicious SolarWinds binaries in its environment but denied any compromise of production systems, customer data, or misuse of its infrastructure to attack others. The incident primarily impacted numerous US government agencies and cybersecurity firm FireEye, with investigations revealing additional initial access vectors beyond the SolarWinds platform. Microsoft collaborated with FireEye to disrupt the attackers' command-and-control infrastructure following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2020, Microsoft confirmed it was compromised as part of the SolarWinds supply chain attack, which involved state-sponsored hackers breaching the company’s internal network after initially targeting SolarWinds. According to Reuters sources, the attackers leveraged Microsoft’s own products to facilitate further intrusions against other organizations, though Microsoft’s public statement disputed this detail. The breach was identified following a broader alert from the U.S. Cybersecurity and Infrastructure Agency (CISA), which warned of multiple initial access vectors beyond the trojanized SolarWinds Orion software updates. Microsoft acknowledged discovering and isolating malicious SolarWinds binaries within its environment but asserted no evidence of access to production systems, customer data, or misuse of its infrastructure to attack third parties. The incident unfolded amid a wave of high-profile compromises linked to the SolarWinds Orion platform, with CISA confirming impacts across federal agencies and critical infrastructure entities.
The SolarWinds attack affected numerous U.S. government agencies, including the Treasury Department, Department of Homeland Security, Department of State, Department of Energy, and the National Nuclear Security Administration, alongside three unnamed state governments. Private-sector victims included cybersecurity firm FireEye, which—alongside Microsoft—was among the first to disclose the supply chain compromise on December 13, 2020. Both companies published technical analyses of the breach and collaborated to disrupt the attackers’ operations by sinkholing a domain used for malware command-and-control. Microsoft’s involvement as both a victim and responder highlighted the incident’s scale, though the company maintained its systems were not weaponized against others. The incident underscored the supply chain’s vulnerability, with SolarWinds’ compromised update mechanism enabling widespread access to targeted networks. Federal investigations remained ongoing as additional victims continued to be identified.