Microsoft IDs More than 40 Victims of SolarWinds Hack

More than 40 organizations of have been identified by Microsoft as victims of the huge SolarWinds Orion supply chain compromise that were breached further by hackers believed to be backed by Russia
Published: December 22, 2020

According to Microsoft, it has identified more than 40 victims of the wide-ranging SolarWinds Orion supply chain compromise that were breached further by hackers believed to be backed by a foreign state-backed entity.

In a blog post, Microsoft said 44% of the 40-plus entities that were further breached by hackers in the large-scale attack are other IT companies, meaning hackers may have accessed and used additional private sector software to further their attack.

While the companies weren’t named, Microsoft said they include software firms, IT services and equipment providers.

Meanwhile, government and think tanks each make up 18% of the victims, while government contractors make up 9% of the victims. Another 11% are uncategorized.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

Microsoft’s Role in Response Grows

The information came by way of the lengthy blog written by Microsoft President Brad Smith, which echoed the statements of FireEye CEO Kevin Mandia who earlier this week commented on the unprecedented sophistication of the attack:

“The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them,” Smith wrote.

“The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.”

Smith’s blog came Thursday, and an editor’s note at the bottom that came just before 11 p.m. ET references news reports about Microsoft itself being a victim of the hack.

Reuters on Thursday, citing anonymous sources, said Microsoft has found indications that hackers were able to infiltrate the company’s networks and use Microsoft tools and IT dominance to further their attacks on other entities.

However, Microsoft threw cold water on that report, saying it did detect malicious SolarWinds binaries in the company’s environment, but company security experts isolated and removed them.

Microsoft claims it has not found evidence of access to production services or customer data, and there are no indications that Microsoft systems were used to attack others.

Smith laid out other important information in the blog, including where the attacks were focused. About 80% of victims are located in the U.S., but victims are also located in Canada, Mexico, Belgium, Spain, the U.K. and Israel.

“It’s certain that the number and location of victims will keep growing,” Smith wrote.

The company, along with other tech firms, has been actively fighting back, sinking a domain used as a command and control sever in the attacks and releasing tools that help detect, block and quarantine the malicious code. 

Other IT Companies Probably Involved

Statements by government officials back up Smith’s claim. The U.S. Cybersecurity and Infrastructure Agency on Thursday issued an alert that it “has evidence of additional initial access vectors” other than the SolarWinds Orion platform. These are still being investigated.

“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” the alert said.

Investigation has revealed that attackers accessed the networks of some victims without utilizing the vulnerability in the SolarWinds Orion platform. SolarWinds has said that there is no evidence of its other products being leveraged by attackers, meaning tools from other IT vendors are being used in these attacks.

According to SolarWinds, about 18,000 of its customers were susceptible to the attacks, but the attackers are mostly targeting government entities, organizations that do business with the government and others in the IT supply chain that could give them access to a wide range of other networks.

So far, investigators believe the attackers further accessed the networks and information of FireEye, The U.S. Commerce and Treasury departments and other important government agencies.

A list of SolarWinds’ high-profile customers includes dozens of well-known tech companies, hardware providers and defense contractors, but so far none have come forward and disclosed that they had been breached further.

Politico reported Thursday that the U.S. Energy Department and National Nuclear Security Administration — the agency that oversees the country’s nuclear weapons arsenal — was also a victim.

Cybersecurity vendor Volexity said earlier this week that before the attack in question, it observed a compromise of a U.S.-based think tank using a Duo multi-factor authentication bypass in Outlook Web App as an initial intrusion vector.

“Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two,” reads a Thursday alert from CISA. “This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.”

This article originally appeared in CS sister publication Zachary Comeau is TD’s web editor.

Posted in: News

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series