Microsoft has confirmed that it, too, is among the companies who have downloaded the compromised SolarWinds Orion updates, but that they have isolated and removed them.
“We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,” the company stated on Thursday.
Additional victims identified
Along with the above statement, Brad Smith, Microsoft President and Chief Legal Officer, shared that, based on telemetry from the company’s Defender Anti-Virus software, the trojanized SolarWinds’ Orion software has been downloaded across the globe (but mostly in the US and Europe).
“While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures,” Smith said.
Victims include government agencies, but also think-tanks, NGOs, government contractors and information technology firms:
Roughly 80% of the known victims are located in the United States, the rest in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE – though, as Smith pointed out, the number and location of victims will keep growing.
According to Politico, among the US government targets were also the Energy Department, the National Nuclear Security Administration, the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories, and other organizations.
The Intercept has also reported that the attackers managed to breach the city network of Austin, Texas, and operate undisturbed in it for months.
The extent of these compromises and of what the attackers managed to do and steal is still unknown.
Still much is unknown
Despite Microsoft’s assurances that they “have found absolutely no indications that our systems were used to attack others,” their investigations are ongoing and evidence to the contrary might yet turn up.
According to one of Reuters’ sources, the SolarWinds hackers (mis)used Microsoft cloud offerings, and the NSA has published a security advisory explaining how they abused federated authentication environments to access protected data.
Simultaneously, CISA has published a security alert in which it said that “the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.” So, the fact an organization did not use SolarWinds’ software does not immediately mean that it hasn’t been targeted.
A pivotal breach that must lead to changes
The SolarWinds and all the other associated hacks should definitely be a wake up call for the US.
“As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response,” Smith noted.
The continuing rise in the determination and sophistication of nation-state attacks, the growing privatization of cybersecurity attacks through a new generation of private companies, and the targeting of organizations crucial to the safety of humanity should also push other governments to join in US efforts, he added, and called for:
- Inter-agency sharing and analysis of threat intelligence
- The strengthening of international rules to thwart nation-state-backed and other cyberattacks
- Stronger steps to hold nation-states accountable for cyberattacks
On Thursday, US president-elect Joe Biden stated that his administration will make cybersecurity a top priority at every level of government.
“We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks,” he said.
“But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”