Cyber Incident Victim: National Telecommunications and Information Administration
Date:
Dec 2020
Location:
United States of America
Summary
A state-sponsored cyberattack compromised the SolarWinds Orion software supply chain, enabling adversaries to pivot into Microsoft's internal systems and leverage its products for follow-on intrusions. The breach impacted multiple US government agencies including the National Telecommunications and Information Administration, alongside other federal entities and three states, while cybersecurity firm FireEye was the sole private company confirmed affected; malicious actors deployed trojanized updates to establish persistent access, though Microsoft asserted no evidence of production system compromise or customer data exfiltration despite detecting and isolating the malicious binaries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The SolarWinds supply chain attack compromised multiple US government agencies and private entities through trojanized updates of the SolarWinds Orion network monitoring application. State-sponsored attackers inserted malicious code into Orion software updates distributed between March and June 2020, enabling unauthorized access to victim networks. The US Department of Commerce's National Telecommunications and Information Administration (NTIA) was among the confirmed high-profile government targets, alongside the Treasury Department, Department of Homeland Security, Department of State, Department of Energy, National Nuclear Security Administration, and Department of Health's National Institutes of Health. Three unnamed US states and cybersecurity firm FireEye were also breached through the compromised Orion platform. The attackers leveraged initial access to pivot laterally within networks, with Reuters reporting evidence of the hackers moving from SolarWinds infrastructure to Microsoft's internal systems before using Microsoft products to conduct follow-on attacks against other organizations.
Microsoft confirmed finding malicious SolarWinds binaries in its environment but denied any evidence of production system compromise or customer data exposure. The company stated it isolated and removed the trojanized components, with ongoing investigations revealing no indications that its infrastructure was weaponized against third parties. FireEye and Microsoft jointly developed countermeasures to disrupt the attack campaign, including sinkholing the command-and-control domain used to orchestrate the malware. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency alert confirming multiple initial access vectors beyond the SolarWinds Orion platform, though specific alternative intrusion methods remained undisclosed. CISA's advisory highlighted impacts across federal civilian agencies, critical infrastructure entities, and private sector organizations, characterizing the incident as a grave threat to national security. Five additional victims were publicly identified on December 17, 2020, though their identities weren't disclosed beyond confirming Microsoft's involvement.