A comprehensive state-sponsored espionage operation targeting the software company SolarWinds has also extended to Microsoft, according to recent developments in an ongoing investigation. Initial reports suggest that the attack might be more extensive and sophisticated than earlier assessments indicated.
Reuters first disclosed Microsoft’s involvement, noting that malicious actors utilized the company’s own cloud services to launch further attacks against other victims. In response, Microsoft firmly denied that any breaches into its production systems occurred, thus implying that its customer data remains secure.
In an email statement to The Hacker News, the company asserted: “Similar to other SolarWinds clients, we have been actively monitoring for signs of this threat actor and have confirmed the detection of compromised SolarWinds binaries in our environment, which we promptly isolated and removed. We found no evidence of access to production systems or customer data.” The investigation remains ongoing, and investigations have yielded no indicators of further breaches.
Characterizing the situation as a significant moment of reckoning, Microsoft President Brad Smith announced that over 40 customers across regions such as Belgium, Canada, Israel, Mexico, Spain, the UAE, the UK, and the US were specifically targeted in the operation. Notably, 44% of the victims belong to the information technology sector, encompassing software companies, IT service providers, and hardware suppliers.
CISA Issues New Advisory
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new advisory, warning that the advanced persistent threat (APT) group driving these compromises demonstrates heightened patience and skillful operational security. CISA emphasized that this form of threat poses severe risks not only to federal and state governments but also to vital infrastructure sectors and private enterprises.
Moreover, CISA has identified further initial attack vectors beyond the SolarWinds Orion platform, which may have included a previously stolen key that allowed the adversary to bypass Duo’s multi-factor authentication (MFA) to gain access to a user’s mailbox via the Outlook Web App (OWA).
Digital forensics firm Volexity has tracked the attackers under the name Dark Halo, identifying MFA bypass techniques as part of a series of intrusions targeting a U.S.-based think tank between late 2019 and 2020. The broader intrusions were revealed following FireEye’s announcement earlier this week regarding a breach that compromised their Red Team testing tools.
Following this revelation, multiple federal agencies, including the U.S. Departments of Treasury, Commerce, Homeland Security, and Energy, as well as the National Nuclear Security Administration (NNSA), have reported falling victim to this attack. Further inquiries have raised concerns about the attackers’ access levels throughout various government and corporate systems globally.
Microsoft, FireEye, and GoDaddy Create a Killswitch
In an effort to mitigate the damage, Microsoft, FireEye, and GoDaddy jointly took control of a crucial GoDaddy domain used by the attackers to communicate with compromised systems. This action resulted in a killswitch that effectively disabled the SUNBURST malware on the networks of affected organizations.
While SolarWinds has yet to clarify how the attackers breached its systems and inserted malware into legitimate software updates, recent evidence suggests a compromise of the company’s build and software release system. Approximately 18,000 customers who utilized the Orion platform may have inadvertently downloaded backdoored updates, exacerbating the implications for cybersecurity across the sector.
Symantec has also identified more than 2,000 affected systems among its client base that received the trojanized updates, confirming the deployment of a subsequent payload identified as Teardrop that facilitates the installation of the Cobalt Strike Beacon against selected high-value targets.
This series of intrusions is believed to involve APT29, a Russian threat group known as Cozy Bear, historically linked to numerous breaches affecting critical U.S. infrastructure. This development has prompted a joint statement from CISA, the FBI, and the Director of National Intelligence, establishing that the agencies are actively gathering intelligence to identify and disrupt these malevolent actors.
Microsoft’s Smith underscored the urgency of holding nation-states accountable for such cyberattacks, remarking that these breaches reflect a reckless disregard for technological security that jeopardizes the integrity of global critical infrastructure, thereby advancing the objectives of a single nation’s intelligence effort.
