Microsoft said its investigation hasn’t found any evidence that SolarWinds was attacked through Office 365, meaning the hackers gained privileged credentials in some other way.
The software giant said a Dec. 14 regulatory filing by SolarWinds gave the impression that SolarWinds was investigating an attack vector related to Microsoft Office 365. In the filing, SolarWinds said it’s aware of an attack vector used to compromise the company’s Office 365 emails that may have provided access to other data contained in the company’s office productivity tools.
“The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,” the Microsoft Security Team wrote in a blog post Thursday.
SolarWinds’s investigation hasn’t identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, CEO Sudhakar Ramakrishna said Wednesday. A day earlier, he told The Wall Street Journal one of several theories the firm was pursuing is that hackers used an Office 365 account compromise as the initial point of entry into SolarWinds.
Ramakrishna said Wednesday that SolarWinds has confirmed suspicious activity related to its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles. By compromising the credentials of SolarWinds staff, he said the hackers were able to gain access to and exploit the SolarWinds development environment.
Although data hosted in Microsoft services such as email was sometimes targeted by the SolarWinds hackers, Microsoft insists the attacker gained privileged credentials in another way. The Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.
In many of their break-ins, the SolarWinds hackers took advantage of known Microsoft configuration issues to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal said. Hackers can go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service.
“The cybersecurity industry has long been aware that sophisticated and well-funded actors were theoretically capable of advanced techniques, patience and operating below the radar, but this incident has proven that it isn’t just theoretical,” the Microsoft Security Team said in its blog post.
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN at the time that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
“No, it [the Reuters article] is not accurate,” the Microsoft Security Team wrote in its blog post Thursday. “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.”
Microsoft acknowledged Dec. 31 that a company account compromised by the SolarWinds hackers had been used to view source code in a number of source code repositories. The compromised Microsoft account, however, didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.
The company also responded Thursday to criticism for not disclosing attack details as soon as Microsoft knew about them, saying that the company is restricted from sharing details in cases where Microsoft is providing investigative support to other organizations. In these types of engagements, Microsoft said the victim organizations have control in deciding what details to disclose and when to disclose them.
Investigators can additionally discover early indicators that require further research before they are actionable, Microsoft said. Taking the time to thoroughly investigate incidents is necessary to provide the best possible guidance to customers, partners, and the broader security community, Microsoft said.
“We believe transparency and clarity are important for strong cybersecurity and in that spirit, we are sharing information about some commonly asked questions,” the Microsoft Security Team said in its blog post.