{ "id": "c7a1df04-0134-474d-b4ea-b7019a8aa98a", "created_at": "2026-04-06T00:13:27.507786Z", "updated_at": "2026-04-10T03:37:33.334057Z", "deleted_at": null, "sha1_hash": "63c224a6ee47c31aedcef58fddaae312408c58c7", "title": "Nobelium Resource Center - updated March 4, 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88370, "plain_text": "Nobelium Resource Center - updated March 4, 2021\r\nBy MSRC Team\r\nPublished: 2020-12-21 · Archived: 2026-04-05 19:34:08 UTC\r\nUPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor\r\nbehind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple\r\nother organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving\r\nforward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the\r\nexamples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the\r\nactorbehind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related\r\ncomponents as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor\r\nand the campaign of attacks and we have updated references appropriate in this document below.\r\nAlongside our industry partners and the security community, Microsoft continues to investigate the extent of the\r\nrecent nation-state attack on SolarWinds. Our goal is to provide the latest threat intelligence, Indicators of\r\nCompromise (IOC)s, and guidance across our products and solutions to help the community respond, harden\r\ninfrastructure, and begin to recover from this unprecedented attack. As new information becomes available, we\r\nwill make updates to this article at https://aka.ms/nobelium.\r\nExecutive Summary and Background Information\r\nMicrosoft is aware of a sophisticated supply chain attack that has targeted a variety of victims. The attack utilized\r\nmalicious SolarWinds files that potentially gave nation-state actors access to some victims’ networks. Microsoft\r\ncybersecurity experts are investigating the attack to help ensure that customers are as secure as possible.\r\nFebruary 25, 2021: Published Microsoft open sources CodeQL queries used to hunt for Solorigate activity\r\nFebruary 18, 2021: Published Turning the page on Solorigate and opening the next chapter for the security\r\ncommunity\r\nFebruary 18, 2021: Published Microsoft Internal Solorigate Investigation – Final Update\r\nFebruary 5, 2021: Published Sophisticated cybersecurity threats demand collaborative, global response\r\nDecember 31, 2020: Published a Microsoft Internal Solorigate Investigation Update\r\nDecember 17, 2020: Posted an article from Brad Smith on the need for a unified approach to cybersecurity\r\nand how we respond to attacks: A moment of reckoning: the need for a strong and global cybersecurity\r\nresponse\r\nDecember 13, 2020: Published a blog from John Lambert outlining this dynamic threat landscape and the\r\nprinciples with which we are approaching the investigation and Important steps for customers to protect\r\nthemselves from recent nation-state cyberattacks - Microsoft On the Issues\r\nDecember 13, 2020: Published a summary of what we know about the actors methods. This post will be\r\nupdated with new information as the investigation continues. Customers should look to this blog as the\r\none stop for updates on the sophisticated attack.\r\nhttps://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/\r\nPage 1 of 4\n\nInformation for Security Operations and Hunters\r\nWe encourage customers to implement new detections and protections to identify possible prior campaigns or\r\nprevent future campaigns against their systems. We have published the IOC’s in this post. This list is not\r\nexhaustive and may expand as investigations continue.\r\nJanuary 28, 2021 A webinar from the Microsoft 365 Defender Research team on protecting, detecting, and\r\nresponding to Solorigate using M365 Defender.\r\nJanuary 21, 2021 Published a deep dive into the Solorigate second-stage (SUNBURST to TEARDROP and\r\nRaindrop backdoors) including detailed hands-on-keyboard techniques\r\nDecember 28, 2020 Published a comprehensive guide for security operations and incident response teams\r\non using Microsoft 365 Defender to identify, investigate and respond to the Nobelium attack at\r\nhttps://aka.ms/detect_solorigate\r\nDecember 22, 2020 An article from Alex Weinert on a new Azure AD workbook to help you assess\r\nSolorigate risk\r\nDecember 21, 2020 An article from Alex Weinert on Understanding “Solorigate”’s Identity IOCs - for\r\nIdentity Vendors and their customers\r\nDecember 21, 2020 An article from Microsoft’s Detection and Response Team (DART) with Advice for\r\nincident responders on recovery from systemic identity compromises\r\nDecember 18, 2020 An article from the Microsoft 365 Defender Research team and Threat Intelligence\r\nCenter (MSTIC) on Analyzing Solorigate, the compromised DLL file that started a sophisticated\r\ncyberattack, and how Microsoft Defender helps protect\r\nDecember 16, 2020 An article from Shain Wray from MSTIC with guidance on SolarWinds Post-Compromise Hunting with Azure Sentinel (this post continues to be updated with new information as it\r\nbecomes available)\r\nDecember 15, 2020 An article from Ariel Saghiv on the Latest Threat Intelligence for Azure Defender for\r\nIoT\r\nDecember 13, 2020 Microsoft Defender Antivirus and Microsoft Defender for Endpoint released\r\nprotections for the malicious SolarWinds software and other artifacts from the attack.\r\nWe have updated information about detection and potential impacts to customer environments in the Threat\r\nAnalytics article within the Microsoft Defender Security Center (sign in is required).\r\nInformation for Security Admins\r\nJanuary 15, 2021 An article from the Microsoft 365 Defender team for security administrators using\r\nMicrosoft 365 Defender and Azure Defender to increase resilience against Solorigate and other\r\nsophisticated attacks patterns using Microsoft Defender\r\nJanuary 15, 2021 An article by Daniel Niam for Microsoft Defender for Identity on expanding support to\r\nAF FS servers\r\nDecember 18, 2020 An article by Alex Weinert for Identity professionals and Microsoft 365 admins on\r\nhow to protect Microsoft 365 from on-premises attacks\r\nDecember 15, 2020 An article from the Microsoft 365 Defender Threat Intelligence team on what we are\r\ndoing to Ensure customers are protected from Solorigate\r\nhttps://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/\r\nPage 2 of 4\n\nFurther information and guidance for Microsoft security products and solutions\r\nOverviews of the different Microsoft security products:\r\nWhere can I get help and assistance?\r\nCustomers with any product support related needs should file a Microsoft Support case at\r\nhttps://support.microsoft.com/contactus\r\nGet help in the Microsoft 365 security center, Office 365 Security \u0026 Compliance center, and Microsoft\r\nDefender Security Center by clicking on the “?” Icon in the top navigation bar.\r\nFor deployment assistance please contact https://fasttrack.microsoft.com\r\nIf you believe you have been compromised and require assistance through an incident response, open a Sev\r\nA Microsoft support case.\r\nOther Advisories \u0026 Additional Resources\r\nFireEye threat intelligence advisory: Global Intrusion Campaign Leverages Software Supply Chain\r\nCompromise.\r\nSolarWinds security advisory: SolarWinds Advisory.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) has published information and guidance\r\nhere: https://us-cert.cisa.gov/ncas/alerts/aa20-352a. For individual country-specific guidance, customers\r\nand partners should refer to information go from the appropriate law enforcement or other government\r\nentity in that jurisdiction.\r\nRevision History\r\n2021-03-04 Added background information on naming the actor and related components as Nobelium.\r\n2021-02-18 Added link to the Executive Summary and Background section on the Microsoft Internal\r\nSolorigate Investigation – Final Update and Turning the page on Solorigate and opening the next chapter\r\nfor the security community\r\n2021-02-02 Added link to the Security Ops and Hunters section on the Microsoft 365 Defender webinar:\r\nProtect, Detect, and Respond to Solorigate using M365 Defender\r\n2021-01-21 Added link to the Security Ops and Hunters section on the deep dive into the Solorigate\r\nsecond-stage activation: From SUNBURST to TEARDROP and Raindrop\r\n2021-01-15 Added link to the Information for Security Admins section on Microsoft Defender for Identity\r\nexpands support to AD FS servers and Increasing resilience against Solorigate and other sophisticated\r\nattacks with Microsoft Defender\r\n2020-12-31 Added link to Microsoft Internal Solorigate Investigation Update\r\n2020-12-28 Added link to Using Microsoft 365 Defender to protect against Solorigate to Information for\r\nSecurity Operations and Hunters and MCAS docs link in Specific guidance for Microsoft Security products\r\nand solutions section\r\n2020-12-22: Added links to an article from Alex Weinert on Azure AD workbook to help you assess\r\nSolorigate risk in the Hunting Section\r\n2020-12-21: Published\r\nhttps://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/\r\nPage 3 of 4\n\nSource: https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/\r\nhttps://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/" ], "report_names": [ "december-21st-2020-solorigate-resource-center" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434407, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63c224a6ee47c31aedcef58fddaae312408c58c7.pdf", "text": "https://archive.orkl.eu/63c224a6ee47c31aedcef58fddaae312408c58c7.txt", "img": "https://archive.orkl.eu/63c224a6ee47c31aedcef58fddaae312408c58c7.jpg" } }