{ "id": "1a6781bc-d816-47ab-a037-04eb208c1aa4", "created_at": "2026-04-06T00:18:59.734044Z", "updated_at": "2026-04-10T03:32:26.513448Z", "deleted_at": null, "sha1_hash": "bcb60398ee472f7c04cac58043080388e8e166c4", "title": "A moment of reckoning: the need for a strong and global cybersecurity response - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 434635, "plain_text": "A moment of reckoning: the need for a strong and global\r\ncybersecurity response - Microsoft On the Issues\r\nBy Brad Smith\r\nPublished: 2020-12-18 · Archived: 2026-04-05 19:26:50 UTC\r\nThe final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s\r\nlatest serious nation-state cyberattack. This latest cyber-assault is effectively an attack on the United States and its\r\ngovernment and other critical institutions, including security firms. It illuminates the ways the cybersecurity\r\nlandscape continues to evolve and become even more dangerous. As much as anything, this attack provides a\r\nmoment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more\r\neffective and collaborative leadership by the government and the tech sector in the United States to spearhead a\r\nstrong and coordinated global cybersecurity response.\r\nThe evolving threats\r\nThe past 12 months have produced a watershed year with evolving cybersecurity threats on three eye-opening\r\nfronts.\r\nThe first is the continuing rise in the determination and sophistication of nation-state attacks. In the past\r\nweek this has again burst into the headlines with the story of an attack on the firm FireEye using malware inserted\r\ninto network management software provided to customers by the tech company SolarWinds. This has already led\r\nto subsequent news reports of penetration into multiple parts of the U.S. Government. We should all be prepared\r\nfor stories about additional victims in the public sector and other enterprises and organizations. As FireEye CEO\r\nKevin Mandia stated after disclosing the recent attack, “We are witnessing an attack by a nation with top-tier\r\noffensive capabilities.”\r\nAs Microsoft cybersecurity experts assist in the response, we have reached the same conclusion. The attack\r\nunfortunately represents a broad and successful espionage-based assault on both the confidential information of\r\nthe U.S. Government and the tech tools used by firms to protect them. The attack is ongoing and is being actively\r\ninvestigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our\r\nteams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for\r\nits scope, sophistication and impact.\r\nThere are broader ramifications as well, which are even more disconcerting. First, while governments have spied\r\non each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain\r\nfor the broader economy. As SolarWinds has reported, the attackers installed their malware into an upgrade of the\r\ncompany’s Orion product that may have been installed by more than 17,000 customers.\r\nThe nature of the initial phase of the attack and the breadth of supply chain vulnerability is illustrated clearly in\r\nthe map below, which is based on telemetry from Microsoft’s Defender Anti-Virus software. This identifies\r\ncustomers who use Defender and who installed versions of SolarWinds’ Orion software containing the attackers’\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 1 of 8\n\nmalware. As this makes clear, this aspect of the attack created a supply chain vulnerability of nearly global\r\nimportance, reaching many major national capitals outside Russia. This also illustrates the heightened level of\r\nvulnerability in the United States.\r\nThe installation of this malware created an opportunity for the attackers to follow up and pick and choose from\r\namong these customers the organizations they wanted to further attack, which it appears they did in a narrower\r\nand more focused fashion. While investigations (and the attacks themselves) continue, Microsoft has identified\r\nand has been working this week to notify more than 40 customers that the attackers targeted more precisely and\r\ncompromised through additional and sophisticated measures.\r\nWhile roughly 80% of these customers are located in the United States, this work so far has also identified victims\r\nin seven additional countries. This includes Canada and Mexico in North America; Belgium, Spain and the United\r\nKingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of\r\nvictims will keep growing.\r\nAdditional analysis sheds added light on the breadth of these attacks. The initial list of victims includes not only\r\ngovernment agencies, but security and other technology firms as well as non-governmental organizations, as\r\nshown in the chart below.\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 2 of 8\n\nIt’s critical that we step back and assess the significance of these attacks in their full context. This is not\r\n“espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious\r\ntechnological vulnerability for the United States and the world. In effect, this is not just an attack on specific\r\ntargets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s\r\nintelligence agency. While the most recent attack appears to reflect a particular focus on the United States and\r\nmany other democracies, it also provides a powerful reminder that people in virtually every country are at risk and\r\nneed protection irrespective of the governments they live under.\r\nAs we have now seen repeatedly, Silicon Valley is not the only home of ingenious software developers. Russian\r\nengineers in 2016 identified weaknesses in password protection and social media platforms, hacked their way into\r\nAmerican political campaigns, and used disinformation to sow divisions among the electorate. They repeated the\r\nexercise in the 2017 French presidential campaign. As tracked by Microsoft’s Threat Intelligence Center and\r\nDigital Crimes Unit, these techniques have impacted victims in more than 70 countries, including most of the\r\nworld’s democracies. The most recent attack reflects an unfortunate but similarly ingenious capability to identify\r\nweaknesses in cybersecurity protection and exploit them.\r\nThese types of sophisticated nation-state attacks are increasingly being compounded by another technology trend,\r\nwhich is the opportunity to augment human capabilities with artificial intelligence (AI). One of the more chilling\r\ndevelopments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about\r\nindividuals and spread targeted disinformation using text messages and encrypted messaging apps. We should all\r\nassume that, like the sophisticated attacks from Russia, this too will become a permanent part of the threat\r\nlandscape.\r\nThankfully, there is a limited number of governments that can invest in the talent needed to attack with this level\r\nof sophistication. In our first Microsoft Digital Defense Report, released in September, we reviewed our\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 3 of 8\n\nassessment of 14 nation-state groups involved in cybersecurity attacks. Eleven of the 14 are in only three\r\ncountries.\r\nAll this is changing because of a second evolving threat, namely the growing privatization of cybersecurity\r\nattacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon\r\nhas reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors.\r\nUnfortunately, this is not an acronym that will make the world a better place.\r\nOne illustrative company in this new sector is the NSO Group, based in Israel and now involved in U.S. litigation.\r\nNSO created and sold to governments an app called Pegasus, which could be installed on a device simply by\r\ncalling the device via WhatsApp; the device’s owner did not even have to answer. According to WhatsApp, NSO\r\nused Pegasus to access more than 1,400 mobile devices, including those belonging to journalists and human rights\r\nactivists.\r\nNSO represents the increasing confluence between sophisticated private-sector technology and nation-state\r\nattackers. Citizen Lab, a research laboratory at the University of Toronto, has identified more than 100 abuse cases\r\nregarding NSO alone. But it is hardly alone. Other companies are increasingly rumored to be joining in what has\r\nbecome a new $12 billion global technology market.\r\nThis represents a growing option for nation-states to either build or buy the tools needed for sophisticated\r\ncyberattacks. And if there has been one constant in the world of software over the past five decades, it is that\r\nmoney is always more plentiful than talent. An industry segment that aids offensive cyberattacks spells bad news\r\non two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates\r\ncyberattack proliferation to other governments that have the money but not the people to create their own\r\nweapons. In short, it adds another significant element to the cybersecurity threat landscape.\r\nThere is a third and final sobering development worth noting from what has obviously been a challenging\r\nyear. This comes from the intersection between cyberattacks and COVID-19 itself.\r\nOne might have hoped that a pandemic that cut short millions of lives might at least have received a pass from the\r\nworld’s cyberattacks. But that was not the case. After a brief lull in March, cyberattackers took aim at hospitals\r\nand public health authorities, from local governments to the World Health Organization (WHO). As humanity\r\nraced to develop vaccines, Microsoft security teams detected three nation-state actors targeting seven prominent\r\ncompanies directly involved in researching vaccines and treatments for Covid-19. A crisis always seems to bring\r\nout the best and worst in people, so perhaps we should not be surprised that this global crisis was no exception.\r\nPut together, however, these three trends point to a cybersecurity landscape that is even more daunting than when\r\nthe year began. The most determined nation-state attackers are becoming more sophisticated. Risks are both\r\ngrowing and spreading to other governments through new private sector companies that aid and abet nation state\r\nattackers. And nothing, not even a pandemic, is off limits to these attackers.\r\nWe live in a more dangerous world, and it requires a stronger and more coordinated response.\r\nA more effective strategy as we enter a new year\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 4 of 8\n\nPut simply, we need a more effective national and global strategy to protect against cyberattacks. It will\r\nneed multiple parts, but perhaps most important, it must start with the recognition that governments and the tech\r\nsector will need to act together.\r\nThe new year creates an opportunity to turn a page on recent American unilateralism and focus on the collective\r\naction that is indispensable to cybersecurity protection. The United States did not win World War II, the Cold War\r\nor even its own independence by fighting alone. In a world where authoritarian countries are launching\r\ncyberattacks against the world’s democracies, it is more important than ever for democratic governments to work\r\ntogether – sharing information and best practices, and coordinating not just on cybersecurity protection but on\r\ndefensive measures and responses.\r\nUnlike attacks from the past, cybersecurity threats also require a unique level of collaboration between the public\r\nand private sectors. Today’s technology infrastructure, from data centers to fiberoptic cables, is most often owned\r\nand operated by private companies. These represent not only much of the infrastructure that needs to be secured\r\nbut the surface area where new cyberattacks typically are first spotted. For this reason, effective cyber-defense\r\nrequires not just a coalition of the world’s democracies, but a coalition with leading tech companies.\r\nTo be successful, this coalition will need to do three things more effectively in the future:\r\nFirst, we need to take a major step forward in the sharing and analysis of threat intelligence. In a new year\r\nthat will mark the 20th anniversary of 9/11, we should remember one of the lessons from the tragic day that the\r\n9/11 Commission called “a shock but not a surprise.” A recurring theme of the commission’s findings was the\r\ninability across government agencies to build collective knowledge by connecting data points together. The\r\ncommission therefore focused its first recommendation on “unifying strategic intelligence” and moving from the\r\n“need to know” to the “need to share.”\r\nIf there is an initial question for the incoming Biden-Harris Administration and America’s allies, it is this: Is the\r\nsharing of cybersecurity threat intelligence today better or worse than it was for terrorist threats before 9/11?\r\nIn the wake of this most recent attack, perhaps no company has done more work than Microsoft to support\r\nagencies across the federal government. As much as we appreciate the commitment and professionalism of so\r\nmany dedicated public servants, it is apparent to us that the current state of information-sharing across the\r\ngovernment is far from where it needs to be. It too often seems that federal agencies currently fail to act in a\r\ncoordinated way or in accordance with a clearly defined national cybersecurity strategy. While parts of the federal\r\ngovernment have been quick to seek input, information sharing with first responders in a position to act has been\r\nlimited. During a cyber incident of national significance, we need to do more to prioritize the information-sharing\r\nand collaboration needed for swift and effective action. In many respects, we risk as a nation losing sight of some\r\nof the most important lessons identified by the 9/11 Commission.\r\nOne indicator of the current situation is reflected in the federal government’s insistence on restricting through its\r\ncontracts our ability to let even one part of the federal government know what other part has been attacked.\r\nInstead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has\r\nturned the 9/11 Commission’s recommendations upside down.\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 5 of 8\n\nIt will be critical for the incoming Biden-Harris Administration to move quickly and decisively to address this\r\nsituation. One ready-made opportunity is to establish a national cybersecurity director as recommended by the\r\nSolarium Commission and provided for in the National Defense Authorization Act.\r\nEffective progress will also require a second realization that goes beyond anything the 9/11 Commission needed to\r\nconfront. Cybersecurity threat intelligence exists in even more disconnected silos than more traditional\r\ninformation about national security threats. This is because it is spread not only among different agencies and\r\ngovernments but across multiple private sector companies as well. Even within a large company like Microsoft,\r\nwe have learned that it is critical for our Threat Intelligence Center to aggregate and analyze data from across our\r\ndata centers and services. And when there is a major threat, we need to share information and collective\r\nassessments with other tech companies.\r\nRecent years have brought several important steps to better share cybersecurity information, and we greatly\r\nappreciate the dedication and support of many key people across the U.S. government. But we still lack a formal\r\nand cohesive national strategy for the sharing of cybersecurity threat intelligence between the public and private\r\nsectors. While there need to be important safeguards to protect government secrets and private citizens’ privacy,\r\nthe time has come for a more systemic and innovative approach to the sharing and analysis of threat intelligence\r\nwith those best positioned to act.\r\nSecond, we need to strengthen international rules to put reckless nation-state behavior out of bounds and\r\nensure that domestic laws thwart the rise of the cyberattack ecosystem. While the world has important\r\ninternational norms and laws to address nation-state attacks, we continue to believe it is important to fill in gaps\r\nand continue to develop clear and binding legal obligations for cyberspace.\r\nThis should build on the lessons of 2020 and prioritize key and specific areas. For example, it should include the\r\ncontinued development of rules to expressly forbid the type of broad and reckless activity used against\r\nSolarWinds and its customers, which tampered with legitimate software and threatened the stability of a broader\r\nsoftware supply chain. The international community has been moving in this direction, building on a 2015 report\r\nby a United Nations Group of Governmental Experts that received broad UN endorsement last year, as well as\r\nmulti-stakeholder support by the Global Commission on the Stability of Cyberspace (GCSC). The U.S.\r\ngovernment and its allies need to make crystal clear their views that this type of supply chain attack falls outside\r\nthe bounds of international law.\r\nWe need similar strong and effective endorsements of rules that put attacks on health care institutions and vaccine\r\nproviders off limits. (The recently convened Oxford Process has done important work to highlight the protections\r\nexisting international law affords in this context.) And international rules should include stronger protections of\r\ndemocratic and electoral processes, as reflected in the principles of the Paris Call for Trust and Security in\r\nCyberspace, which now has more than 1,000 signatories – the largest multi-stakeholder group ever assembled in\r\nsupport of an international cybersecurity-focused agreement.\r\nIn addition, governments should take new and concerted steps to thwart the rise of private sector offensive actors.\r\nAs described above, these companies in effect have created a new ecosystem to support offensive nation-state\r\nattacks. The sooner governments take action to put this ecosystem out of business, the better.\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 6 of 8\n\nAn early opportunity for the Biden-Harris Administration will come in an appellate judicial case involving the\r\nNSO Group itself. NSO has appealed a lower court finding that it is not immune from claims that it violated the\r\nU.S. Computer Fraud and Abuse Act by accessing mobile devices without permission. Its argument is that it is\r\nimmune from U.S. law because it is acting on behalf of a foreign government customer and hence shares that\r\ngovernment’s legal immunity. NSO’s proposed recipe would make a bad problem even worse, which is why\r\nMicrosoft is joining with other companies in opposing this interpretation. The Biden/Harris Administration should\r\nweigh in with a similar view.\r\nNSO’s legal approach, while disconcerting, does the world a service by highlighting the path needed to thwart this\r\nnew cyberattack ecosystem. It’s to ensure that domestic laws clearly and strongly prohibit companies from helping\r\ngovernments engage in unlawful and offensive cyberattacks and investors from knowingly financing them.\r\nConsider the analogy to other forms of societally harmful activity, like human trafficking, narcotics or terrorism\r\nitself. Governments not only take strong steps to prohibit the illegal activity itself – such as engaging in drug\r\ntrafficking – but also ensure that airlines don’t transport the drugs and investors don’t finance the activity.\r\nA similar approach is needed to deter private sector offensive actors. We need steps to ensure, for example, that\r\nAmerican and other investors don’t knowingly fuel the growth of this type of illegal activity. And the United\r\nStates should proactively pursue discussions with other countries that are giving rise to these companies, including\r\nIsrael, which has a strong cybersecurity ecosystem that can be drawn into dangerous support of authoritarian\r\nregimes.\r\nFinally, we need stronger steps to hold nation-states accountable for cyberattacks. Governments and private\r\ncompanies have taken stronger steps in recent years to hold nation-states publicly accountable for cyberattacks.\r\nWe need to build on this course and continue to press forward with it, with governments ensuring that there are\r\ngreater real-world consequences for these attacks to promote stability and discourage conflict.\r\nThe world’s democracies took important steps in 2017 and 2018, led by the United States. With public statements\r\nabout WannaCry and NotPetya, multiple governments attributed these attacks publicly to the North Korean and\r\nRussian governments, respectively. These types of coordinated public attributions have become an important tool\r\nto respond to nation-state attacks. The United States followed with stronger deterrent steps to protect the 2018\r\nmid-term elections, and an even more concerted effort to successfully deter foreign tampering with voting in the\r\n2020 Presidential elections.\r\nIn the private sector, circumstances have also changed dramatically since the early days in 2016 when we at\r\nMicrosoft took legal action to thwart Russian cyberattacks on American political campaigns but were reluctant to\r\nspeak publicly about it. In the years since, companies such as Microsoft, Google, Facebook and Twitter have all\r\nacted and spoken directly and publicly when responding to nation-state cyberattacks. Moreover, a coalition of\r\nmore than 145 global technology companies have signed on to the Cybersecurity Tech Accord – committing\r\nthemselves to upholding four principles of responsible behavior to promote peace and security online, including\r\nopposing cyberattacks against innocent civilians and enterprises.\r\nThe coming months will present a critical test, not only for the United States but for other leading democracies\r\nand technology companies. The weeks ahead will provide mounting and we believe indisputable evidence about\r\nthe source of these recent attacks. It will become even clearer that they reflect not just the latest technology\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 7 of 8\n\napplied to traditional espionage, but a reckless and broad endangerment of the digital supply chain and our most\r\nimportant economic, civic and political institutions. It is the type of international assault that requires the type of\r\ncollective response that shows that serious violations have consequences.\r\nIf there is a common lesson from the past few years, it’s the importance of combining ongoing learning with new\r\ninnovations, greater collaboration, and constant courage. For four centuries, the people of the world have relied on\r\ngovernments to protect them from foreign threats. But digital technology has created a world where governments\r\ncannot take effective action alone. The defense of democracy requires that governments and technology\r\ncompanies work together in new and important ways – to share information, strengthen defenses and respond to\r\nattacks. As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.\r\nEditor’s note: 12/17/2020, 7:50pm PT\r\nFollowing news reports about the impact on Microsoft of the SolarWinds issue, the company issued the following\r\nstatement:\r\n“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that\r\nwe detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not\r\nfound evidence of access to production services or customer data. Our investigations, which are ongoing, have\r\nfound absolutely no indications that our systems were used to attack others.”\r\nTags: COVID-19, cyberattacks, cybersecurity, Defending Democracy Program, ElectionGuard\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/" ], "report_names": [ "cyberattacks-cybersecurity-solarwinds-fireeye" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434739, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bcb60398ee472f7c04cac58043080388e8e166c4.pdf", "text": "https://archive.orkl.eu/bcb60398ee472f7c04cac58043080388e8e166c4.txt", "img": "https://archive.orkl.eu/bcb60398ee472f7c04cac58043080388e8e166c4.jpg" } }