The massive SolarWinds hack that ensnared Microsoft and thousands of SolarWinds customers underscores the importance of implementing zero trust architecture and migrating to the cloud, according to Microsoft CEO Satya Nadella.
“What SolarWinds shows is the importance … of moving to the cloud,” Nadella told CRN in an exclusive interview before Microsoft was hit by separate attacks on its on-premises Exchange Server. “A lot of the SolarWinds attack surface is because of the trust relationships sometimes that get established between the weak portions of your on-premise infrastructure—where you don’t have the operational security posture … or even when the systems are not patched—and then your cloud, and then you can sort of propagate laterally.”
Microsoft has called the SolarWinds cyberattack, identified in December, “the largest and most sophisticated attack the world has ever seen” from a software engineering perspective. Suspected Russian intelligence attackers injected malicious code into Austin, Texas-based SolarWinds’ Orion network monitoring platform that was downloaded into as many as 18,000 of its customers’ computer networks. That enabled hackers to breach at least nine federal government agencies and 100 private firms.
The hackers used a compromised internal Microsoft account to view source code in certain Microsoft repositories and download some of that code related to Microsoft Azure, Intune and Exchange, according to Microsoft, which spends US$1 billion-plus annually on its security. The compromised Microsoft account didn’t have permissions to modify any code or engineering system, and none of the code was altered, Microsoft said. After gaining access to organizations’ on-premises networks, the hackers targeted their federated identity solutions and leveraged ill-gotten privileged access and forged authentication tokens to “move laterally” to Azure Active Directory and Microsoft 365 cloud environments, according to the U.S. Cybersecurity and Infrastructure Security Agency.
“Microsoft technology was not compromised nor was it used as the attack vector,” Nadella told CRN. “It’s like saying, ‘If I get the keys to your house, and I enter your house, can I look at other stuff in the rooms?’ The breach happened elsewhere, using techniques in this case … which could be social engineering of any sorts. Once you have essentially admin credentials or credentials, you can enter a network.”
The SolarWinds incident points to why Microsoft stresses the importance of implementing zero trust architecture, Nadella said.
“You need to ‘assume breach’ versus thinking that, ‘Hey, somehow we are going to be buying enough security products to sort of protect us,’” he said. “You have to have both the security architecture and operational security posture that allows you to assume breach. Make sure that the principles of zero trust—like, for example, least-privilege access—are really being administered and monitored. You don’t want to give all-access admin accounts to people in the first place. And if you even have some admin accounts with lots of privileges, you’re monitoring on a very hard-core way. That type of hygiene is … going to be important.”
In March, Microsoft also acknowledged multiple zero-day exploits were being used to attack the on-premises versions of its Exchange Server platform for email and scheduling. Those attacks allegedly started as a nation-state hit by Chinese hackers.
Sunnyvale, Calif.-based cybersecurity company CrowdStrike has said it’s seeing a “crisis of trust within the Microsoft customer base” due to the two hacking incidents. But Jon Thomsen, CEO of Atmosera, a Beaverton, Ore., Microsoft Gold partner and Azure Expert MSP, said he’s seen no indications so far that the attacks have impacted Microsoft customer trust “in any meaningful manner.”
“It does cause customers to ask about the security provided by Azure, although it helped that Microsoft was willing to testify to the [U.S.] Senate and was transparent on their findings,” Thomsen said. “But that’s a standard element or question to any customer engagement.”
Microsoft has gained a lot of trust in the last 10 years due to its concerted efforts in the security space, according to Thomsen.
“Microsoft leads in the number and classification of security ratings and compliance certifications for their cloud and data centers,” he said. “They have a full-bore security center that monitors threats worldwide in real time, and … they are taking a lead role in working directly with government, security firms and the like to address and improve software and cloud security across the globe.”
Nadella sees the SolarWinds hack as a “wake-up call for all companies to take security as a first-class priority.”
“At the end of the day, this is not the first or the last cyberattack—this is going to be ongoing,” Nadella said. “So the question really is what’s that hygiene, what’s that discipline, what’s that technology frontier you’re on?”