Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies

solarwinds cyberattack microsoft

The ongoing, growing campaign is “effectively an attack on the United States and its government and other critical institutions,” Microsoft warned.


Microsoft has become the latest victim of the ever-widening SolarWinds-driven cyberattack that has impacted rafts of federal agencies and tech targets. Its president, Brad Smith, warned late Thursday to expect many more victims to come to light as investigations continue.

Adversaries were able to use SolarWinds’ Orion network management platform to infect users with a stealth backdoor called “Sunburst” or “Solorigate,” that opened the way for lateral movement to other parts of a network. It was pushed out via trojanized product updates to almost 18,000 organizations around the globe, starting nine months ago. Once embedded, the attackers have been able to pick and choose which organizations to further penetrate.

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” a Microsoft spokesperson said in a media statement. Microsoft and FireEye have created a “kill switch” for the backdoor that can defang it — though that doesn’t help remediate infections that have spread to other areas of networks.

In a Thursday evening blog post, Smith described the “broad and successful espionage-based assault” as “ongoing” and “remarkable for its scope, sophistication and impact.”

Smith noted, “we should all be prepared for stories about additional victims in the public sector and other enterprises and organizations.”

To that point, he said that Microsoft has so far notified 40 of its security customers that it’s products have found indicators of compromise on their networks, and that the attackers targeted them “more precisely and compromised through additional and sophisticated measures,” with more victims to come.

Around 80 percent of those customers have been located in the United States, Smith said, with the remaining located in Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. They are government agencies, security and other technology firms, and non-governmental organizations.

The supply-chain attack vector used for initial access (the SolarWinds’ Orion software) also allowed the attackers to reach “many major national capitals outside Russia,” Smith said. “This also illustrates the heightened level of vulnerability in the United States.”

Victims who are Microsoft security customers by industry sector. Click to enlarge.

However, above all, the campaign is “effectively an attack on the United States and its government and other critical institutions,” he warned.

So far, there are six known federal entities that have been impacted by the attack: The Pentagon, the Department of Energy, the Department of Homeland Security, the National Institute of Health, the Department of Treasury and the Department of Commerce.

Microsoft’s update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that there could be additional initial-access vectors used by the attackers, beyond the SolarWinds Orion platform.

“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” it said in an updated bulletin on Thursday.

Sources told Reuters that the hackers used Microsoft’s Azure cloud offerings as part of their attacks, but the Microsoft spokesperson said that there are “no indications that our systems were used to attack others.”

Unprepared for Response?

In a report breaking the news that the DoE, keeper of the nuclear arsenal, has been impacted by the attack, sources said that CISA admitted that it was overwhelmed and lacked the resources to properly respond. It’s also suffering from a lack of leadership: Its top official, Christopher Krebs, was fired for calling the 2020 U.S. Presidential election secure, and he has not been replaced.

This adds to an already chaotic cybersecurity posture in the federal government, Smith noted.

“It too often seems that federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cybersecurity strategy,” Smith wrote. “While parts of the federal government have been quick to seek input, information sharing with first responders in a position to act has been limited. During a cyber-incident of national significance, we need to do more to prioritize the information-sharing and collaboration needed for swift and effective action. In many respects, we risk as a nation losing sight of some of the most important lessons identified by the 9/11 Commission.”

U.S. Secretary of State Mike Pompeo noted on Saturday that Russia is likely behind the attacks. FireEye CEO Kevin Mandia said earlier this week that “We are witnessing an attack by a nation with top-tier offensive capabilities.” Smith noted that Microsoft has reached the same conclusion.

As for which government is behind the attacks, researchers and lawmakers alike, citing the highly sophisticated nature of the attack, have said the intrusions were likely carried out by Russian intelligence, though the U.S. has not officially made any attribution.

A classified briefing from the FBI and other agencies for members of Congress on the attacks is scheduled for Friday.

Updated on Saturday at Noon ET to reflect Pompeo’s attribution remarks.

Related coverage:

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles