Microsoft confirms it found compromised SolarWinds code on its systems
But the major target was the US government
Microsoft has acknowledged that it found evidence of the malware nation state-backed hackers recently used to compromise the networks of multiple federal agencies in the US, but added that it did not impact customer data or outward-facing systems.
"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," Frank Shaw, Microsoft spokesman, stated on Twitter.
Shaw added that there is no evidence so far to suggest that hackers were able to access customer data or production services. Moreover, the company's security experts found no indications to suggest that hackers used Microsoft systems to target other organisations.
Reuters earlier reported that Microsoft was also hacked 'as part of the suspected Russian campaign,' with attackers 'taking advantage of the widespread use of software from SolarWinds Corp'. Citing people familiar with the matter, Reuters claimed the hackers used Microsoft systems to attack other entities.
Microsoft is a customer of SolarWinds Corp., whose Orion IT software was compromised by hackers to gain access to the networks of various organisations.
The company said earlier this week that fewer than 18,000 customers are thought to have downloaded the compromised software update.
The US Cybersecurity and Infrastructure Agency (CISA) issued an emergency warning on Monday, directing all federal civilian agencies using Orion to disconnect and disable the application, to prevent hackers from launching further cyber attacks.
In a blog post published on Thursday, Microsoft president Brad Smith warned that the initial investigation of the SolarWinds security breach reveals "an attack that is remarkable for its scope, sophistication and impact".
Smith said that the espionage operation may have compromised many other enterprises and organisations, whose hack stories are likely to emerge in the coming days.
He described the breach as a cyber-assault on "the United States and its government and other critical institutions, including security firms".
To illustrate how wide-spread the breach was, Smith included a map based on the telemetry taken from Microsoft's Defender Anti-Virus software. The map identified customers who had installed versions of the Orion software containing the attackers' malware.
The malicious installs enabled hackers to follow up and pick customers whom they wanted to further attack, according to Smith.
Microsoft has so far identified more than 40 customers who were targeted more precisely by attackers and compromised through "additional and sophisticated measures".
The following US government agencies have been confirmed as victims of the espionage campaign:
- The US Treasury Department
- The US Department of State
- The US Department of Commerce's National Telecommunications and Information Administration
- The Cybersecurity and Infrastructure Agency
- The Department of Health's National Institutes of Health
- The Department of Homeland Security
- The National Nuclear Security Administration
- The US Department of Energy
- Three US states
- City of Austin
The FBI is currently investigating the possible role of a Russian state-backed group in these attacks. Security experts believe that this advanced persistent threat (APT) group, called Cozy Bear, works for the Russian Foreign intelligence service.