Microsoft Corp says it found malicious software in its systems related to an enormous hacking campaign disclosed by officials in the United States this week, adding a top technology target to a growing list of attacked government agencies.
The Redmond, Washington-based company is a user of Orion, the widely deployed networking management software from SolarWinds Corp which was used in the suspected Russian attacks on vital US agencies and others.
Microsoft also had its own products leveraged to attack victims, said people familiar with the matter. The US National Security Agency issued a rare “cybersecurity advisory” on Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed,” a Microsoft spokesperson said late on Thursday, adding that the company had found “no indications that our systems were used to attack others”.
But one analyst described the attacks on Microsoft and US government agencies as “extremely serious”.
“This is being viewed as a wake-up call, which is unfortunate because we should be awake at this point;” Richard Stiennon, founder of industry research firm IT-Harvest said.
One of the people familiar with the hacking spree said the hackers made use of Microsoft cloud; offerings while avoiding Microsoft’s corporate infrastructure.
Microsoft did not immediately respond to questions about the technique.
Still, another person familiar with the matter said the Department of Homeland Security (DHS) does not believe; Microsoft was a key avenue of fresh infection.
Multiple methods of attack
Microsoft and the DHS, which earlier on Thursday said the hackers used multiple methods of entry, are continuing to investigate.
The FBI and other agencies have scheduled a classified briefing for members of Congress on Friday(today).
The US Department of Energy also said it has evidence hackers gained access to its networks as part of the campaign. News site Politico had earlier reported that the National Nuclear Security Administration (NNSA); which manages the country’s nuclear weapons stockpile, was also hit.
An Energy Department spokeswoman said the malware “has been isolated to business networks only”; and has not affected US national security, including the NNSA.
The DHS said in a bulletin on Thursday the hackers had used other techniques besides corrupting updates of network management software by SolarWinds which is used by hundreds of thousands of companies and government agencies.
The Cybersecurity and Infrastructure Security Agency (CISA) warned of a “grave” risk to government and private networks.
It urged investigators not to assume their organizations were safe if they did not use recent versions of the SolarWinds software; while also pointing out that the hackers did not exploit every network they gained access too.
US authorities suspect the latest cyberattack on US networks was carried out by Russia; which has denied any involvement CISA said it was continuing to analyze the other avenues used by the attackers. So far, the hackers are known to have at least monitored email or other data; within the US departments of Defense, State; Treasury, Homeland Security, and Commerce.
As many as 18,000 Orion customers downloaded the updates that contained a back door, SolarWinds has said. Since the campaign was discovered; software companies have cut off communication from those back doors to the computers maintained by the hackers.
But the attackers might have installed additional ways of maintaining access, CISA said, in what some have called the biggest hack in 10 years.