Microsoft admits to having used the infected version of the software used to spy on the U.S. Government and FireEye, but denies any data leak.
After the confirmation of the hacker attack on the U.S. Government, with many Departments (i.e. Ministries) affected including Treasury, Commerce and Homeland Security, it turns out that the problem is much bigger than expected. And, perhaps, much more serious: even Microsoft has admitted to having found "in its environment" the same infected version of SolarWinds software that was used to attack the U.S. Government.
The note issued by Microsoft, in fact, says: "Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we have detected malicious SolarWinds binaries in our environment, which we have isolated and removed. We found no evidence of access to production services or customer data. Our investigation, which is ongoing, has found absolutely no indication that our systems were used to attack others." Microsoft, then, was using the same software exploited by hackers to steal a large amount of data from the U.S. government, including confidential emails.
The Problem: SolarWinds Orion
A few days after the news of the hacker attack on the U.S. government, the dynamic is now clear: one of the software used to monitor network traffic and performance was modified by hackers (allegedly linked to Russia) with the insertion of a trojan to spy on traffic.
This software is Orion by SolarWinds and is the same software behind another blatant hacker attack, the one on cybersecurity giant FireEye. Orion is a comprehensive network traffic monitoring platform, which among other things also serves to extract statistics about the security of the network itself and monitor email exchanges.
Those who use network services offered by Microsoft can choose to purchase the monitoring platform for such services from SolarWinds. The trick the hackers used is simple: they took advantage of Orion's periodic automatic updates to have the U.S. government, FireEye and Microsoft download an infected version of the software.
Let's be clear: the problem is not in Microsoft's software but in SolarWinds' platform, which is also used by Microsoft and hundreds of other companies large and very large. SolarWinds claims that its customers using Orion are 18 thousand. Ci sono quindi 18 mila reti aziendali potenzialmente infette nel mondo.
Non è il solito spionaggio
Microsoft, in un post sul suo blog ufficiale a firma del presidente Brad Smith, è stata molto chiara sulla gravità di questo attacco: “Questo non è il solito atto di spionaggio, persino nell’era digitale. Invece, rappresenta un atto di incoscienza che ha creato una grave vulnerabilità tecnologica per gli Stati Uniti e il mondo“.
Secondo quanto riporta Bloomberg, poi, anche l’agenzia statunitense per le armi nucleari e almeno tre Stati sovrani sono stati violati e questo rende l’attacco hacker tramite SolarWinds Orion “una delle più grandi violazioni della sicurezza informatica in memoria recente“.
Still Microsoft said it "identified and notified this week more than 40 customers who were targeted by the attackers more specifically and were compromised through additional, sophisticated techniques."
What We Risk
Microsoft says no data was stolen via the infected version of Orion, found "in our environment." It also denies that the hackers could have used Microsoft's servers or resources to launch attacks on customers.
In the case of the FireEye attack, however, by the company's own admission the hackers had access to emails managed through Office 365, which were being monitored via SolarWinds Orion. The risk, therefore, is that Microsoft (and all other companies that use Orion) could be attacked.
Microsoft assures that, as of December 16, the Windows Defender antivirus built into all copies of Windows 10 is able to find and block malware contained in the modified version of Orion.