Microsoft Joins List of Victims of Massive SolarWinds Hack

By | Managed Services News

Dec 18

Microsoft president Brad Smith said the attack provides a moment of reckoning.

The list of targets in the massive SolarWinds hack now includes Microsoft. Expect more vendors to join the dubious registry.

Microsoft issued the following statement:

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data.”

The attackers didn’t use Microsoft’s systems to attack others, it said.

FireEye, which has investigated numerous high-profile data breaches, also fell victim to the SolarWinds hack.

The hackers inserted malicious code into SolarWinds‘ Orion software updates sent to nearly 18,000 customers. It existed in updates released between March and June of this year.

This led to security breaches at numerous U.S. government agencies. Those include the Treasury Department, the National Telecommunications and Information Administration (NTIA) and the Department of Homeland Security (DHS). The attacker also breached SolarWinds’ corporate clients.

The Cozy Bear hacking group, which U.S. authorities suggest gets backing from Russian state intelligence, likely performed the SolarWinds hack.

Moment of Reckoning

Brad Smith is Microsoft’s president. He said the attack “illuminates the ways the cybersecurity landscape continues to evolve and becomes even more dangerous.”

Microsoft's Brad Smith

Microsoft’s Brad Smith

“As much as anything, this attack provides a moment of reckoning,” he said. “It requires that we look with clear eyes at the growing threats we face, and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.”

The U.S. Department of Energy is the latest agency confirming it has been breached. However, it hasn’t impacted the department’s national security functions. That includes the National Nuclear Security Administration (NNSA).

The agency took immediate action to mitigate the risk, said Saylyn Hynes, agency spokesperson. All vulnerable software was disconnected from the DOE network.

Kaspersky Findings

On Friday, Kaspersky released its findings on the Sunburst backdoor, the malware planted in SolarWinds Orion.

Costin Raiu is head of Kaspersky’s global research and analysis team.

Kaspersky's Costin Raiu

Kaspersky’s Costin Raiu

“In this case, it would appear the main goal was espionage,” he said. “The attackers showed a deep understanding and knowledge of Office 365, Azure, Exchange, Powershell — and leveraged it in many creative ways to constantly monitor and extract emails from their true victims’ systems.”

One of the things that sets this attack apart is the peculiar victim profiling and validation scheme, Raiu said. The attackers flagged only a handful of the 18,000 Orion IT customers as interesting.

“Finding which of the 18,000 networks were further exploited, receiving more malware, installing persistence mechanisms and exfiltrating data is likely going to cast some light into the attacker’s motives and priorities,” he said.

High-Value Targets

High-value targets include a government organization and a telecommunications company in the United States, according to Kaspersky. It didn’t disclose the identities of the organizations. Furthermore, it notified the two organizations, offering its support to discover further malicious activities, if needed.

“For those that use Orion IT, we recommend scanning your system with an updated security suite capable of detecting the compromised packages from SolarWinds,” Raiu said. “Check your network traffic for all the publicly known indicators of compromise (IOCs).”

Kaspersky has spent the past few days checking its own telemetry for signs of this attack, writing …

About the Author

>