{
	"id": "5aa8477b-5753-432a-baa0-50d1e526aa60",
	"created_at": "2026-04-06T00:12:27.692092Z",
	"updated_at": "2026-04-10T03:20:52.028037Z",
	"deleted_at": null,
	"sha1_hash": "dc58083e984df22e6e39a6a4fd84d8cd179abcbb",
	"title": "Important steps for customers to protect themselves from recent nation-state cyberattacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35093,
	"plain_text": "Important steps for customers to protect themselves from recent\r\nnation-state cyberattacks\r\nBy John Lambert\r\nPublished: 2020-12-14 · Archived: 2026-04-05 22:58:01 UTC\r\nToday, Microsoft is sharing information and issuing guidance about increased activities from a sophisticated threat\r\nactor that is focused on high value targets such as government agencies and cybersecurity companies. We believe\r\nthis is nation-state activity at significant scale, aimed at both the government and private sector. While we aren’t\r\nsharing any details specific to individual organizations, it is important for us to share greater detail about some of\r\nthe threat activity we’ve uncovered over the past weeks, along with guidance that security industry practitioners\r\ncan use to find and mitigate potential malicious activity.\r\nWe also want to reassure our customers that we have not identified any Microsoft product or cloud service\r\nvulnerabilities in these investigations.\r\nAs part of our ongoing threat research, we monitor for new indicators that could signal attacker activity.  As we\r\nrecently shared in our 2020 Digital Defense Report, we’ve delivered over 13,000 notifications to customers\r\nattacked by nation states over the past two years and have observed a rapid increase in sophistication and\r\noperational security capabilities. FireEye’s recent disclosure is consistent with the attacks that we’ve observed,\r\nand we commend FireEye’s disclosure and sharing, as we strongly believe this industry sharing is critical to\r\nprotecting the internet.\r\nBecause of the sophistication of the techniques and operational security capabilities of the actor, we want to\r\nencourage greater scrutiny by the broader community. While these elements aren’t present in every attack, these\r\ntechniques are part of the toolkit of this actor.\r\nAn intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a\r\nfoothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now\r\nhas detections for these files. Also, see SolarWinds Security Advisory.\r\nAn intruder using administrative permissions acquired through an on-premises compromise to gain access\r\nto an organization’s trusted SAML token- signing certificate. This enables them to forge SAML tokens that\r\nimpersonate any of the organization’s existing users and accounts, including highly privileged accounts.\r\nAnomalous logins using the SAML tokens created by a compromised token-signing certificate, which can\r\nbe used against any on-premises resources (regardless of identity system or vendor) as well as against any\r\ncloud environment (regardless of vendor) because they have been configured to trust the certificate.\r\nBecause the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by\r\nthe organization.\r\nUsing highly privileged accounts acquired through the technique above or other means, attackers may add\r\ntheir own credentials to existing application service principals, enabling them to call APIs with the\r\npermission assigned to that application.\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/\r\nPage 1 of 2\n\nPlease see customer guidance on recent nation-state cyberattacks for specific details and guidance.\r\nWe believe it’s important to share significant threat activity like what we’re announcing today. We think it’s\r\ncritical that governments and the private sector are increasingly transparent about nation-state activity so we can\r\nall continue the global dialogue about protecting the internet. We also hope publishing this information helps raise\r\nawareness among organizations and individuals about steps they can take to protect themselves.\r\nAs we recommend to our customers, we are also actively looking for indicators in the Microsoft environment and,\r\nto date, have not found evidence of a successful attack.\r\nEven with all the resources we dedicate to cybersecurity, our contribution will be only a small piece of what’s\r\nneeded to address the challenge. It requires policymakers, the business community, government agencies and,\r\nultimately, individuals to make a real difference, and we can only have significant impact through shared\r\ninformation and partnerships. We hope this contribution will help us all work together better to improve the\r\nsecurity of the digital ecosystem.\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/"
	],
	"report_names": [
		"customers-protect-nation-state-cyberattacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434347,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc58083e984df22e6e39a6a4fd84d8cd179abcbb.pdf",
		"text": "https://archive.orkl.eu/dc58083e984df22e6e39a6a4fd84d8cd179abcbb.txt",
		"img": "https://archive.orkl.eu/dc58083e984df22e6e39a6a4fd84d8cd179abcbb.jpg"
	}
}