Washington: Investigators said that suspected Russian hackers, behind the worst US cyber attack in years, used distributors’ access to Microsoft Corp’s services to infiltrate targets that did not have compromised network software from SolarWinds Corp.
While updates to SolarWinds’ Orion software was previously the only known point of entry, security company CrowdStrike Holdings Inc said Thursday hackers had won access to the vendor that sold it Office licenses and used that to try to read CrowdStrike’s email. It did not specifically identify the hackers as being the ones that compromised SolarWinds, but two people familiar with CrowdStrike’s investigation said they were.
CrowdStrike uses Office programs for word processing but not email. The failed attempt, made months ago, was pointed out to CrowdStrike by Microsoft on Dec. 15.
CrowdStrike, which does not use SolarWinds, said it had found no impact from the intrusion attempt and declined to name the reseller.
“They got in through the reseller’s access and tried to enable mail ‘read’ privileges,” one of the people familiar with the investigation told Reuters. “If it had been using Office 365 for email, it would have been game over.”
Many Microsoft software licenses are sold through third parties, and those companies can have near-constant access to clients’ systems as the customers add products or employees.
Microsoft said Thursday that those customers need to be vigilant.
“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” said Microsoft senior Director Jeff Jones. “We have not identified any vulnerabilities or compromise of Microsoft product or cloud services.”
The use of Microsoft resellers to try to break into a top digital defense company raises new questions about how many ways US officials claim that these hackers can use to represent the Russian government.
The known victims so far include CrowdStrike security rival FireEye Inc and the US Department of Defense, State, Commerce, Treasury and Homeland Security. Other major companies, including Microsoft and Cisco Systems, said they found contaminated SolarWinds software internally, but found no signs that hackers used the software to spread widely on their networks.
So far, Texas-based SolarWinds has been the only publicly confirmed initial intrusion channel, although officials have been warning hackers of other methods of intrusion for several days.
Reuters reported a week ago that Microsoft products had been used in attacks. But federal officials said they have not considered it the original medium, and the software giant said that their system was not used in the campaign.
Microsoft subsequently hinted that its customers should remain vigilant. At the end of a long technical blog post on Tuesday, it mentioned in one sentence that it saw hackers “hacked into Microsoft 365 Cloud from a trusted vendor account, and the attacker compromised the vendor environment.”
Microsoft requires its suppliers to have access to client systems in order to install the product and allow new users. However, it is so difficult to discover which suppliers still have access at any given time, so much so that CrowdStrike has developed and released an audit tool to do this.
After a series of other attacks through cloud providers, including a series of major attacks (called CloudHopper) attributed to hackers supported by the Chinese government, Microsoft implemented new controls on distributors this year, including multi-factor Authentication requirements.
The Cybersecurity and Infrastructure Security Agency and the National Security Agency did not immediately comment.
Also Thursday, SolarWinds released an update to fix the vulnerabilities in its flagship network management software Orion following the discovery of a second set of hackers that had targeted the company’s products. That followed a separate Microsoft blog post on Friday saying that SolarWinds had its software targeted by a second and unrelated group of hackers in addition to those linked to Russia.
The identity of the second set of hackers, or the degree to which they may have successfully broken in anywhere, remains unclear.
Russia has denied having any role in the hacking.