Microsoft breached in suspected Russian hack using SolarWinds

Microsoft was breached in the massive hacking campaign disclosed by US officials this week, according to people familiar with the matter, adding a top technology target to a growing list of vital government agencies.

The Redmond, Washington, company used the widely deployed networking management software from SolarWinds, which was used in the suspected Russian attacks on US agencies and others. It also had its own products leveraged to further the attacks on others, the people said.

Reuters could not immediately determine how many Microsoft users were affected by the tainted products. The Department of Homeland Security, which said earlier Thursday that the hackers used multiple methods of entry, is continuing to investigate.

In response to the report, Microsoft said that "like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicous SolarWinds binaries in our environment, which we isolated and removed".

"We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others," a Microsoft spokesperson said.

The FBI and other agencies have scheduled a classified briefing for members of Congress Friday.

The US Energy Department also said they have evidence hackers gained access to their networks as part of a massive cyber campaign. Politico had earlier reported the National Nuclear Security Administration, which manages the country’s nuclear weapons stockpile, was targeted.

An Energy Department spokeswoman said malware “has been isolated to business networks only” and had not impacted US national security, including the NNSA.

The Department of Homeland Security said in a bulletin on Thursday the spies had used other techniques besides corrupting updates of network management software by SolarWinds which is used by hundreds of thousands of companies and government agencies.

“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” said DHS’s Cybersecurity and Infrastructure Security Agency, referring to “advanced persistent threat” adversaries.

CISA urged investigators not to assume their organisations were safe if they did not use recent versions of the SolarWinds software, while also pointing out that the hackers did not exploit every network they did gain access too.

CISA said it was continuing to analyse the other avenues used by the attackers. So far, the hackers are known to have at least monitored email or other data within the US departments of Defense, State, Treasury, Homeland Security and Commerce.

As many as 18,000 Orion customers downloaded the updates that contained a back door. Since the campaign was discovered, software companies have cut off communication from those back doors to the computers maintained by the hackers.

But the attackers might have installed additional ways of maintaining access in what some have called the biggest hack in a decade.

For that reason, officials said that security teams should communicate through special channels to ensure that their own detection and remediation efforts are not being monitored.

The Department of Justice, FBI and Defense Department, among others, have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures. They are assuming that the nonclassified networks have been accessed.

CISA and private companies including FireEye, which was the first to discover and reveal it had been hacked, have released a series of clues for organisations to look for to see if they have been hit.

But the attackers are very careful and have deleted logs, or electronic footprints or which files they have accessed. That makes it hard to know what has been taken.

Some major companies have issued carefully worded statements saying that they have “no evidence” that they were penetrated, but in some cases that may only be because the evidence was removed.

In most networks, the attackers would also have been able to create false data, but so far it appears they were interested only in obtaining real data, people tracking the probes said.

Meanwhile, members of Congress are demanding more information about what may have been taken and how, along with who was behind it. The House Homeland Security Committee and Oversight Committee announced an investigation Thursday, while senators pressed to learn whether individual tax information was obtained.

In a statement, President-elect Joe Biden said he would “elevate cybersecurity as an imperative across the government” and “disrupt and deter our adversaries” from undertaking such major hacks.

Additional reporting by iTnews.