Get 40% Off
🤯 This Tech Portfolio is up 29% YTD! Join Now to Get April’s Top PicksGet The Picks – Just 99 USD

Suspected Russian hackers used Microsoft vendors to breach customers

Published 12/24/2020, 09:04 AM
Updated 12/24/2020, 03:36 PM
© Reuters. Exterior view of SolarWinds headquarters in Austin

© Reuters. Exterior view of SolarWinds headquarters in Austin

By Joseph Menn and Raphael Satter

WASHINGTON (Reuters) - The suspected Russian hackers behind the worst U.S. cyber attack in years leveraged reseller access to Microsoft Corp (NASDAQ:MSFT) services to penetrate targets that had no compromised network software from SolarWinds Corp, investigators said.

While updates to SolarWinds' Orion software was previously the only known point of entry, security company CrowdStrike Holdings (NASDAQ:CRWD) Inc said Thursday hackers had won access to the vendor that sold it Office licenses and used that to try to read CrowdStrike's email. It did not specifically identify the hackers as being the ones that compromised SolarWinds, but two people familiar with CrowdStrike's investigation said they were.

CrowdStrike uses Office programs for word processing but not email. The failed attempt, made months ago, was pointed out to CrowdStrike by Microsoft on Dec. 15.

CrowdStrike, which does not use SolarWinds, said it had found no impact from the intrusion attempt and declined to name the reseller.

"They got in through the reseller's access and tried to enable mail 'read' privileges," one of the people familiar with the investigation told Reuters. "If it had been using Office 365 for email, it would have been game over."

Many Microsoft software licenses are sold through third parties, and those companies can have near-constant access to clients' systems as the customers add products or employees.

Microsoft said Thursday that those customers need to be vigilant.

"Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms," said Microsoft senior Director Jeff Jones. "We have not identified any vulnerabilities or compromise of Microsoft product or cloud services."

The use of a Microsoft reseller to try to break into a top digital defense company raises new questions about how many avenues the hackers, whom U.S. officials have alleged are operating on behalf of the Russian government, have at their disposal.

The known victims so far include CrowdStrike security rival FireEye (NASDAQ:FEYE) Inc and the U.S. Departments of Defense, State, Commerce, Treasury, and Homeland Security. Other big companies, including Microsoft and Cisco Systems Inc (NASDAQ:CSCO), said they found tainted SolarWinds software internally but had not found signs that the hackers used it to range widely on their networks.

Until now, Texas-based SolarWinds was the only publicly confirmed channel for the initial break-ins, although officials have been warning for days that the hackers had other ways in.

Reuters reported a week ago that Microsoft products were used in attacks. But federal officials said they had not seen it as an initial vector, and the software giant said its systems were not utilized in the campaign. (https://www.reuters.com/article/idUSKBN28R2ZJ)

Microsoft then hinted that its customers should still be wary. At the end of a long, technical blog post on Tuesday, it used one sentence to mention seeing hackers reach Microsoft 365 Cloud "from trusted vendor accounts where the attacker had compromised the vendor environment."

Microsoft requires its vendors to have access to client systems in order to install products and allow new users. But discovering which vendors still have access rights at any given time is so hard that CrowdStrike developed and released an auditing tool to do that.

After a series of other breaches through cloud providers, including a major set of attacks attributed to Chinese government-backed hackers and known as CloudHopper, Microsoft this year imposed new controls on its resellers, including requirements for multifactor authentication.

The Cybersecurity and Infrastructure Security Agency and the National Security Agency had no immediate comment.

Also Thursday, SolarWinds released an update to fix the vulnerabilities in its flagship network management software Orion following the discovery of a second set of hackers that had targeted the company's products. That followed a separate Microsoft blog post on Friday saying that SolarWinds had its software targeted by a second and unrelated group of hackers in addition to those linked to Russia.

The identity of the second set of hackers, or the degree to which they may have successfully broken in anywhere, remains unclear.

© Reuters. FILE PHOTO: A Microsoft logo is seen in Los Angeles

Russia has denied having any role in the hacking.

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.